Article: https://sharpsec.run/rce-vulnerability-in-qbittorrent/
tl;dr:
In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86.
See line 154 below:
As per the post author, possible exploits include:
- Automated replacement of all Python exes with arbitrary exe: RCE with a single click
- Automated replacement of all qBittorrent update URLs in RSS feed: Browser Hijacking/RCE with moderate user interaction
- Automated replacement of all/specific links in qBittorrent RSS viewer: RCE until 2019, Download Hijacking
The exploit has been fixed in version 5.0.1 and its there on Arch repos. Updating to latest version via pacman should keep your system fine.
2 Likes
Ben
2
I got the impression that simply not running it on Windows would keep your system fine - my system has been fine for many years already 
3 Likes