Introduction Our latest investigation has uncovered significant security flaws in three KnowBe4 applications- Phish Alert Button, PasswordIQ, and Second Chance. These applications, commonly used in security awareness and training, were found to have vulnerabilities allowing remote command execution (RCE) and local privilege escalation (LPE). Unusually the RCE exposed workers to compromise over Wi-Fi making it a feasible coffee shop attack vector. TL;DR: Three KnowBe4 applications (Phish Alert Button, PasswordIQ, and Second Chance) were vulnerable to remote command execution (RCE) and local privilege escalation (LPE) vulnerabilities. Through not understanding DNS hijack, KnowBe4 reported the CVSS scores to NIST with far too low scores. This creates an interesting attack vector over, for example, Wi-Fi at a coffee shop. As a result of having the KnowBe4 apps installed on a laptop, the client was thus exposed to remote code execution vulnerabilities. This is interesting in itself, as Wi-Fi hotspot attacks other than this are now largely mitigated through O/S design, KnowBe4 initially down-scored the vulnerability significantly, due to not understanding that DNS hijack can be achieved through methods other than router compromise. Despite us raising concerns about this with the vulnerability management team, it was not until we escalated these concerns to the CEO of KnowBe4 that a fix was accelerated. We reviewed their initial fix and flagged that it may not be effective….Read More