An issue was identified in versions of the MIM Concurrent License Server and MIM Local Concurrent License Server from versions 6.5.0 to 7.0.9 that allows unauthenticated attackers on the same network as a machine running either of these services to execute arbitrary code by crafting malicious RMI requests due to deserialization of untrusted data.

No other MIM services are affected by this issue, regardless of version, and no client installations are affected.

The issue is not present in any version of the MIM License Server version 7.1.0 or later, and has been patched in 7.0.10.

A hotfix is available for unsupported versions of the MIM Concurrent License Server from 6.5.x to 6.9.x. The hotfix is available here.

Referenced Common Weakness Enumerations:


Affected Products and Services:

MIM Concurrent License Server

MIM Local Concurrent License Server

Affected Versions:

6.5.0 through 7.0.9

Recommended Mitigation:

  • Primary Recommendation: Customers are encouraged to upgrade to an available patch version (7.0.10) or any newer version (7.1.0+) which is not affected by the vulnerability.

  • Secondary Recommendation: Customers on an affected version who are unable or unwilling to upgrade do so at their own risk. If, after weighing the risks, a customer chooses not to upgrade, a manual hotfix has been provided by MIM Software. (Hotfix Link)

  • Temporary/Tertiary Mitigation: Due to the critical nature of this vulnerability, we cannot recommend mitigating measures outside of upgrading or applying the provided hotfix. However, as it may take some sites additional time to upgrade, the following items can be considered in the meantime:

    • Setup firewalls, network boundaries, security groups, or ACLs to limit which machines can connect to the MIM Concurrent License Service (port 13913).
      • Only those clients which require a connection to obtain their licenses should be given access.
    • Limit permissions and access of the service user running the MIM Concurrent License Server to prevent escalation of privileges.


This vulnerability was discovered and reported by security researcher Eric Guillen in conjunction with The University of Kansas Health System.