Regularly backup your data to prevent loss in case of a security breach or other issues.
Jamovi 0.9.5.5’s bundled R packages are outdated by modern standards. An attacker could register a rogue R package on a public or private repository with the same name as a missing dependency that jamovi attempts to auto-install. Since jamovi may not enforce checksum or signature verification for dependency resolution, this could lead to remote code execution. jamovi 0.9.5.5 exploit
When jamovi opens an .omv file, it uses R’s readRDS() or similar serialization mechanisms to deserialize data.bin . In R, deserializing untrusted data can lead to arbitrary code execution if the R environment contains objects that exploit “promise” evaluation or unserialize() gadget chains. Versions of R before 4.0.0 (which jamovi 0.9.5.5 may bundle) were vulnerable to specific object deserialization flaws (e.g., CVE-2019-13626 in R itself). Regularly backup your data to prevent loss in
Upon execution, the system() function triggers the bash command, providing a reverse shell on your listener. Impact and Post-Exploitation Since jamovi may not enforce checksum or signature