Under certain conditions, an attacker could bind to the same port used
by WebCTRL. This could allow the attacker to craft and send malicious
packets and impersonate the WebCTRL service without requiring code
injection into the WebCTRL software.
Credits
Jonathan Lee, Thuy D. Nguyen, and Neil C. Rowe of the Naval Postgraduate School reported this vulnerability to CISA.
