Software vulnerabilities in a Netop classroom management platform could be dangerous as students return to school campuses across the nation.

That’s according to McAfee’s Advanced Threat Research (ATR) team. It has uncovered four critical software vulnerabilities in Netop Vision Pro. Schools globally use the platform to connect teachers and students from K-12 via online distance learning.

More than 3 million teachers and students from across 9,000 school systems use Netop.

If exploited, the software vulnerabilities could allow hackers to gain full control of students’ computers. They could spy on students’ activity over a local network, deploy ransomware, compromise additional accounts on the devices, and more.

In addition, the lack of encryption, insecure design principles and local privilege escalation (LPE) vulnerabilities could allow hackers to emulate teacher commands to fully compromise the machines.

Bringing the Threat Back to School

Douglas McKee is principal engineer and senior security researcher for the McAfee ATR team. He said students have taken home laptops with the software through the pandemic.

McAfee’s Douglas McKee

“If an attacker has obtained access to a network where this software is running – either your home network or a public network, for example – the attacker has had an opportunity to compromise this software,” he said. “So when the student goes back into the school environment, now an attacker may already have a presence on a school network that they never had before. If one student in the student body gets compromised, that entire school is now compromised, everything from the district employees, teachers and students.”

Due to McAfee ATR’s public disclosure, Netop Vision Pro recently delivered a more secure version of the software that schools can move quickly to implement.

Steve Povolny is head of McAfee ATR.

McAfee’s Steve Povolny

“It does take time for schools and districts to patch and apply the new software,” he said. “I would be surprised if it’s not months or longer before we have higher statistics on patch coverage. So the incentive is certainly there still for the attacker.”

No Indication of Exploits

McAfee has no data indicating the vulnerability has been exploited.

“Visibility and awareness are the most important things,” McKee said. “And it’s why we share as many assets as possible for every level where it applies to everyone from an MSSP, to a parent, school district, administrator and a SOC analyst. We urge the school districts to apply software updates, and be clear in communicating with parents and families.”

In the future, it’s important to have a proactive plan within school systems, McKee said. That includes patches, network isolation and password management.