An unauthenticated remote code execution vulnerability was discovered in Visualware MyConnection Server 11.0 through 11.0b build 5382. The web endpoint at “https://example.com/myspeed/sf” provides an unauthenticated user the ability to upload an arbitrary file to an arbitrary location via a specially crafted POST request. This application is written in Java and is thus cross-platform. The Windows installation executes the web server as SYSTEM which means that exploitation provides Administrator privileges on the target system.