CWE-426
Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CVE-2025-27167 (GCVE-0-2025-27167)
Vulnerability from cvelistv5 – Published: 2025-03-11 18:00 – Updated: 2025-03-11 18:31
VLAI
Title
Illustrator | Untrusted Search Path (CWE-426)
Summary
Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path (CWE-426)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/illustr… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Illustrator |
Affected:
0 , ≤ 28.7.4
(semver)
|
Date Public
2025-03-11 17:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T18:28:42.085246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T18:31:11.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Illustrator",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "28.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-03-11T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Illustrator versions 29.2.1, 28.7.4 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. The problem extends to any type of critical resource that the application trusts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "LOCAL",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path (CWE-426)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T18:00:29.239Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/illustrator/apsb25-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Illustrator | Untrusted Search Path (CWE-426)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2025-27167",
"datePublished": "2025-03-11T18:00:29.239Z",
"dateReserved": "2025-02-19T22:28:19.017Z",
"dateUpdated": "2025-03-11T18:31:11.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27743 (GCVE-0-2025-27743)
Vulnerability from cvelistv5 – Published: 2025-04-08 17:23 – Updated: 2026-02-13 19:32
VLAI
Title
Microsoft System Center Elevation of Privilege Vulnerability
Summary
Untrusted search path in System Center allows an authorized attacker to elevate privileges locally.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
15 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | System Center Data Protection Manager 2019 |
Affected:
-
|
|
| Microsoft | System Center Data Protection Manager 2022 |
Affected:
-
|
|
| Microsoft | System Center Data Protection Manager 2025 |
Affected:
-
|
|
| Microsoft | System Center Operations Manager 2019 |
Affected:
-
|
|
| Microsoft | System Center Operations Manager 2022 |
Affected:
-
|
|
| Microsoft | System Center Operations Manager 2025 |
Affected:
-
|
|
| Microsoft | System Center Orchestrator 2019 |
Affected:
-
|
|
| Microsoft | System Center Orchestrator 2022 |
Affected:
-
|
|
| Microsoft | System Center Orchestrator 2025 |
Affected:
-
|
|
| Microsoft | System Center Service Manager 2019 |
Affected:
-
|
|
| Microsoft | System Center Service Manager 2022 |
Affected:
-
|
|
| Microsoft | System Center Service Manager 2025 |
Affected:
-
|
|
| Microsoft | System Center Virtual Machine Manager 2019 |
Affected:
-
|
|
| Microsoft | System Center Virtual Machine Manager 2022 |
Affected:
-
|
|
| Microsoft | System Center Virtual Machine Manager 2025 |
Affected:
-
|
Date Public
2025-04-08 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T19:57:39.876585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T19:57:50.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "System Center Data Protection Manager 2019",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Data Protection Manager 2022",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Data Protection Manager 2025",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Operations Manager 2019",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Operations Manager 2022",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Operations Manager 2025",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Orchestrator 2019",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Orchestrator 2022",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Orchestrator 2025",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Service Manager 2019",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Service Manager 2022",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Service Manager 2025",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Virtual Machine Manager 2019",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Virtual Machine Manager 2022",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"product": "System Center Virtual Machine Manager 2025",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2022:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2019:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_virtual_machine_manager_2025:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2025:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2022:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_data_protection_manager_2019:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2019:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2022:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_orchestrator_2025:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2019:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2022:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_service_manager_2025:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2019:*:-:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2022:*:-:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:system_center_operations_manager_2025:*:-:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-04-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Untrusted search path in System Center allows an authorized attacker to elevate privileges locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T19:32:43.265Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft System Center Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27743"
}
],
"title": "Microsoft System Center Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-27743",
"datePublished": "2025-04-08T17:23:25.628Z",
"dateReserved": "2025-03-06T04:26:08.553Z",
"dateUpdated": "2026-02-13T19:32:43.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30399 (GCVE-0-2025-30399)
Vulnerability from cvelistv5 – Published: 2025-06-13 01:08 – Updated: 2026-02-20 16:00
VLAI
Title
.NET and Visual Studio Remote Code Execution Vulnerability
Summary
Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | .NET 8.0 |
Affected:
8.0.0 , < 8.0.17
(custom)
|
|
| Microsoft | .NET 9.0 |
Affected:
9.0.0 , < 9.0.6
(custom)
|
|
| Microsoft | Microsoft Visual Studio 2022 version 17.10 |
Affected:
17.10.0 , < 17.10.16
(custom)
|
|
| Microsoft | Microsoft Visual Studio 2022 version 17.12 |
Affected:
17.12.0 , < 17.12.9
(custom)
|
|
| Microsoft | Microsoft Visual Studio 2022 version 17.14 |
Affected:
17.14.0 , < 17.14.5
(custom)
|
|
| Microsoft | Microsoft Visual Studio 2022 version 17.8 |
Affected:
17.8.0 , < 17.8.22
(custom)
|
|
| Microsoft | PowerShell 7.4 |
Affected:
7.4.0 , < 7.4.11
(custom)
|
|
| Microsoft | PowerShell 7.5 |
Affected:
7.5.0 , < 7.5.2
(custom)
|
Date Public
2025-06-10 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T15:46:01.058158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T15:46:09.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": ".NET 8.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "8.0.17",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"product": ".NET 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "9.0.6",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft Visual Studio 2022 version 17.10",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "17.10.16",
"status": "affected",
"version": "17.10.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft Visual Studio 2022 version 17.12",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "17.12.9",
"status": "affected",
"version": "17.12.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft Visual Studio 2022 version 17.14",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "17.14.5",
"status": "affected",
"version": "17.14.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft Visual Studio 2022 version 17.8",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "17.8.22",
"status": "affected",
"version": "17.8.0",
"versionType": "custom"
}
]
},
{
"product": "PowerShell 7.4",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.4.11",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
}
]
},
{
"product": "PowerShell 7.5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.5.2",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
"versionEndExcluding": "7.4.11",
"versionStartIncluding": "7.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
"versionEndExcluding": "7.5.2",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.17",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"versionEndExcluding": "17.12.9",
"versionStartIncluding": "17.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"versionEndExcluding": "17.8.22",
"versionStartIncluding": "17.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"versionEndExcluding": "17.10.16",
"versionStartIncluding": "17.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
"versionEndExcluding": "17.14.5",
"versionStartIncluding": "17.14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-06-10T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T16:00:32.339Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": ".NET and Visual Studio Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399"
}
],
"title": ".NET and Visual Studio Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-30399",
"datePublished": "2025-06-13T01:08:00.208Z",
"dateReserved": "2025-03-21T19:09:29.816Z",
"dateUpdated": "2026-02-20T16:00:32.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30407 (GCVE-0-2025-30407)
Vulnerability from cvelistv5 – Published: 2025-03-26 21:32 – Updated: 2026-02-26 19:09
VLAI
Summary
Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security-advisory.acronis.com/advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Acronis | Acronis Cyber Protect Cloud Agent |
Affected:
unspecified , < 39713
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T03:55:19.722136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:09:10.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Acronis Cyber Protect Cloud Agent",
"vendor": "Acronis",
"versions": [
{
"lessThan": "39713",
"status": "affected",
"version": "unspecified",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege escalation due to a binary hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39713."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T21:32:30.085Z",
"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"shortName": "Acronis"
},
"references": [
{
"name": "SEC-8414",
"tags": [
"vendor-advisory"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-8414"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"assignerShortName": "Acronis",
"cveId": "CVE-2025-30407",
"datePublished": "2025-03-26T21:32:30.085Z",
"dateReserved": "2025-03-21T21:04:39.510Z",
"dateUpdated": "2026-02-26T19:09:10.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31480 (GCVE-0-2025-31480)
Vulnerability from cvelistv5 – Published: 2025-04-04 14:49 – Updated: 2025-04-04 14:57
VLAI
Title
aiven-extras allows PostgreSQL Privilege Escalation through format function
Summary
aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should install 1.1.16 and ensure they run the latest version issuing ALTER EXTENSION aiven_extras UPDATE TO '1.1.16' after installing it. This needs to happen in each database aiven_extras has been installed in.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/aiven/aiven-extras/security/ad… | x_refsource_CONFIRM |
| https://github.com/aiven/aiven-extras/commit/77b5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| aiven | aiven-extras |
Affected:
< 1.1.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T14:57:39.462536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T14:57:54.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aiven-extras",
"vendor": "aiven",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should install 1.1.16 and ensure they run the latest version issuing ALTER EXTENSION aiven_extras UPDATE TO \u00271.1.16\u0027 after installing it. This needs to happen in each database aiven_extras has been installed in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T14:49:30.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aiven/aiven-extras/security/advisories/GHSA-33xh-jqgf-6627",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aiven/aiven-extras/security/advisories/GHSA-33xh-jqgf-6627"
},
{
"name": "https://github.com/aiven/aiven-extras/commit/77b5f19a0c1d196bc741ff5c774f85fe7ca3063b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aiven/aiven-extras/commit/77b5f19a0c1d196bc741ff5c774f85fe7ca3063b"
}
],
"source": {
"advisory": "GHSA-33xh-jqgf-6627",
"discovery": "UNKNOWN"
},
"title": "aiven-extras allows PostgreSQL Privilege Escalation through format function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31480",
"datePublished": "2025-04-04T14:49:30.863Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-04-04T14:57:54.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39666 (GCVE-0-2025-39666)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:09 – Updated: 2026-04-07 13:18
VLAI
Title
omd: Local privilege escalation when executing omd commands as root
Summary
Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://checkmk.com/werk/18891 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Checkmk GmbH | Checkmk |
Affected:
2.2.0
(semver)
Affected: 2.3.0 , < 2.3.0p46 (semver) Affected: 2.4.0 , < 2.4.0p25 (semver) Affected: 2.5.0b1 , < 2.5.0b3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:18:12.687066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:18:19.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Checkmk",
"vendor": "Checkmk GmbH",
"versions": [
{
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThan": "2.3.0p46",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
},
{
"lessThan": "2.4.0p25",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.5.0b3",
"status": "affected",
"version": "2.5.0b1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.0p46",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0p25",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.0b3",
"versionStartIncluding": "2.5.0b1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root."
}
],
"impacts": [
{
"capecId": "CAPEC-471",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-471: Search Order Hijacking"
}
]
},
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17: Accessing, Modifying or Executing Executable Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426: Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T12:09:07.609Z",
"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"shortName": "Checkmk"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://checkmk.com/werk/18891"
}
],
"title": "omd: Local privilege escalation when executing omd commands as root",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"assignerShortName": "Checkmk",
"cveId": "CVE-2025-39666",
"datePublished": "2026-04-07T12:09:07.609Z",
"dateReserved": "2025-04-16T07:07:38.257Z",
"dateUpdated": "2026-04-07T13:18:19.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40909 (GCVE-0-2025-40909)
Vulnerability from cvelistv5 – Published: 2025-05-30 12:20 – Updated: 2026-04-18 14:15
VLAI
Title
Perl threads have a working directory race condition where file operations may target unintended paths
Summary
Perl threads have a working directory race condition where file operations may target unintended paths.
If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.
This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.
The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
Severity
5.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
18 references
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-18T14:15:40.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/23/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/30/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/02/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/02/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/02/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/02/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/03/1"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/55"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/54"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00018.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40909",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:05:00.839656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:09:50.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "perl",
"product": "perl",
"programRoutines": [
{
"name": "threads"
}
],
"repo": "https://github.com/perl/perl5",
"vendor": "perl",
"versions": [
{
"lessThan": "5.41.13",
"status": "affected",
"version": "5.13.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vincent Lefevre"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Perl threads have a working directory race condition where file operations may target unintended paths.\u003cbr\u003e\u003cbr\u003eIf a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone\u0026nbsp;that handle for the new thread, which is visible from any third (or\u0026nbsp;more) thread already running. \u003cbr\u003e\u003cbr\u003eThis may lead to unintended operations\u0026nbsp;such as loading code or accessing files from unexpected locations,\u0026nbsp;which a local attacker may be able to exploit.\u003cbr\u003e\u003cbr\u003eThe bug was introduced in commit\u0026nbsp;11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6"
}
],
"value": "Perl threads have a working directory race condition where file operations may target unintended paths.\n\nIf a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone\u00a0that handle for the new thread, which is visible from any third (or\u00a0more) thread already running. \n\nThis may lead to unintended operations\u00a0such as loading code or accessing files from unexpected locations,\u00a0which a local attacker may be able to exploit.\n\nThe bug was introduced in commit\u00a011a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-689",
"description": "CWE-689 Permission Race Condition During Resource Copy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:24:00.827Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch"
},
{
"tags": [
"mailing-list",
"exploit"
],
"url": "https://www.openwall.com/lists/oss-security/2025/05/22/2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Perl/perl5/issues/23010"
},
{
"tags": [
"related"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226"
},
{
"tags": [
"related"
],
"url": "https://github.com/Perl/perl5/issues/10387"
},
{
"tags": [
"related"
],
"url": "https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads"
},
{
"tags": [
"related"
],
"url": "https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update perl to an unaffected version, or apply the patch provided in the references section."
}
],
"value": "Update perl to an unaffected version, or apply the patch provided in the references section."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Perl threads have a working directory race condition where file operations may target unintended paths",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40909",
"datePublished": "2025-05-30T12:20:11.237Z",
"dateReserved": "2025-04-16T09:05:34.360Z",
"dateUpdated": "2026-04-18T14:15:40.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4272 (GCVE-0-2025-4272)
Vulnerability from cvelistv5 – Published: 2025-05-05 11:00 – Updated: 2025-05-05 12:32
VLAI
Title
Mechrevo Control Console GCUService csCAPI.dll uncontrolled search path
Summary
A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\Program Files\OEM\MECHREVO Control Center\UniwillService\MyControlCenter\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.307376 | vdb-entry |
| https://vuldb.com/?ctiid.307376 | signaturepermissions-required |
| https://vuldb.com/?submit.563468 | third-party-advisory |
| https://www.yuque.com/ba1ma0-an29k/nnxoap/bhd5ckq… | related |
| https://drive.google.com/file/d/1VKhLyW0oglACkt-5… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mechrevo | Control Console |
Affected:
1.0.2.70
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4272",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T12:32:38.631177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T12:32:51.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GCUService"
],
"product": "Control Console",
"vendor": "Mechrevo",
"versions": [
{
"status": "affected",
"version": "1.0.2.70"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ba1_Ma0 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Mechrevo Control Console 1.0.2.70. It has been rated as critical. Affected by this issue is some unknown functionality in the library C:\\Program Files\\OEM\\MECHREVO Control Center\\UniwillService\\MyControlCenter\\csCAPI.dll of the component GCUService. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in Mechrevo Control Console 1.0.2.70 ausgemacht. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion in der Bibliothek C:\\Program Files\\OEM\\MECHREVO Control Center\\UniwillService\\MyControlCenter\\csCAPI.dll der Komponente GCUService. Durch die Manipulation mit unbekannten Daten kann eine uncontrolled search path-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T11:00:07.406Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307376 | Mechrevo Control Console GCUService csCAPI.dll uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.307376"
},
{
"name": "VDB-307376 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307376"
},
{
"name": "Submit #563468 | MECHREVO Control Console 1.0.2.70 Elevation Of Privilege",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.563468"
},
{
"tags": [
"related"
],
"url": "https://www.yuque.com/ba1ma0-an29k/nnxoap/bhd5ckqugggmpttp?singleDoc"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1VKhLyW0oglACkt-5PgTtN9oRB2jMczeh/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-05T12:56:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Mechrevo Control Console GCUService csCAPI.dll uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4272",
"datePublished": "2025-05-05T11:00:07.406Z",
"dateReserved": "2025-05-04T18:28:23.181Z",
"dateUpdated": "2025-05-05T12:32:51.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43079 (GCVE-0-2025-43079)
Vulnerability from cvelistv5 – Published: 2025-11-10 17:10 – Updated: 2026-03-18 17:10
VLAI
Title
Local Privilege Escalation via qagent_uninstall.sh Qualys Cloud Agents
Summary
The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Qualys Inc | Qualys Agent |
Affected:
5.0 , < 7.2.3
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
3.12 , < 7.1.0
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
4.17 , < 6.0.0
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 6.2.1
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 6.3.1
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 3.31.1-8
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 3.21.1-6
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 4.2.6
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 5.0.3
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 5.0.2
(custom)
|
|
| Qualys Inc | Qualys Agent |
Affected:
0 , < 6.0.3
(custom)
|
Date Public
2025-11-10 16:32
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-11T04:55:38.944965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:03.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "7.2.3",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"BSD"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.12",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"IBM AIX"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "6.0.0",
"status": "affected",
"version": "4.17",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS",
"x86",
"64 bit"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "6.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS (M Series Silicon CPU)"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "6.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"zLinux"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "3.31.1-8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"PPC"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "3.21.1-6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"CoreOS"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Bottlerocket Intel"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "5.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"GoogleCOS"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "5.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Bottlerocket",
"ARM"
],
"product": "Qualys Agent",
"vendor": "Qualys Inc",
"versions": [
{
"lessThan": "6.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eLocal access to the system (the attacker must be local).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eAbility to run sudo or root (the uninstall script requires sudo at minimum for execution or must be run as root).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eAbility to modify $PATH (temporarily in the shell session used to launch the uninstall script, or persistently via writable shell configuration files such as ~/.bashrc, ~/.zshrc).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eExecution of qagent_uninstall.sh within the compromised environment where $PATH points to attacker-controlled locations.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eBecause exploitation requires the ability to run sudo (or be root), the vulnerability is not remotely exploitable by default \u2014 it relies on local privilege and environment manipulation, but the consequences are elevated (execution under high privilege). \u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
}
],
"value": "* Local access to the system (the attacker must be local).\n\n\n * Ability to run sudo or root (the uninstall script requires sudo at minimum for execution or must be run as root).\n\n\n * Ability to modify $PATH (temporarily in the shell session used to launch the uninstall script, or persistently via writable shell configuration files such as ~/.bashrc, ~/.zshrc).\n\n\n * Execution of qagent_uninstall.sh within the compromised environment where $PATH points to attacker-controlled locations.\n\n\n\n\n\n\nBecause exploitation requires the ability to run sudo (or be root), the vulnerability is not remotely exploitable by default \u2014 it relies on local privilege and environment manipulation, but the consequences are elevated (execution under high privilege)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "7.2.3",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bsd:*:*:*:*:*",
"versionEndExcluding": "7.1.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:ibm_aix:*:*:*:*:*",
"versionEndExcluding": "6.0.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:macos:*:*:*:*:*",
"versionEndExcluding": "6.2.1",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:x86:*:*:*:*:*",
"versionEndExcluding": "6.2.1",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:64_bit:*:*:*:*:*",
"versionEndExcluding": "6.2.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:macos_m_series_silicon_cpu_:*:*:*:*:*",
"versionEndExcluding": "6.3.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:zlinux:*:*:*:*:*",
"versionEndExcluding": "3.31.1-8",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:ppc:*:*:*:*:*",
"versionEndExcluding": "3.21.1-6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:coreos:*:*:*:*:*",
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bottlerocket_intel:*:*:*:*:*",
"versionEndExcluding": "5.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:googlecos:*:*:*:*:*",
"versionEndExcluding": "5.0.2",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:bottlerocket:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qualys_inc:qualys_agent:*:*:arm:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brent Zaltsman (AfricanHipp0)"
}
],
"datePublic": "2025-11-10T16:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eThe Qualys Cloud Agent included a bundled uninstall script (\u003c/span\u003e\u003cspan\u003eqagent_uninstall.sh\u003c/span\u003e\u003cspan\u003e), specific to Mac and Linux supported versions that invoked multiple system commands \u003c/span\u003e\u003cspan\u003ewithout using absolute paths and without sanitizing the \u003c/span\u003e\u003cspan\u003e$PATH\u003c/span\u003e\u003cspan\u003e environment\u003c/span\u003e\u003cspan\u003e. If the uninstall script is executed with elevated privileges (e.g., via \u003c/span\u003e\u003cspan\u003esudo\u003c/span\u003e\u003cspan\u003e) in an environment where \u003c/span\u003e\u003cspan\u003e$PATH\u003c/span\u003e\u003cspan\u003e has been manipulated, an attacker with \u003c/span\u003e\u003cspan\u003eroot\u003c/span\u003e\u003cspan\u003e/\u003c/span\u003e\u003cspan\u003esudo\u003c/span\u003e\u003cspan\u003e privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:10:59.799Z",
"orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"shortName": "Qualys"
},
"references": [
{
"url": "https://www.qualys.com/security-advisories/cve-2025-43079"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCustomers are advised to update to non-affected versions of Qualys product\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Customers are advised to update to non-affected versions of Qualys product."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation via qagent_uninstall.sh Qualys Cloud Agents",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Customers are advised to check workaround solutions listed on\u0026nbsp;\n\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.qualys.com/security-advisories/cve-2025-43079\"\u003ehttps://www.qualys.com/security-advisories/cve-2025-43079\u003c/a\u003e"
}
],
"value": "Customers are advised to check workaround solutions listed on\u00a0\n\n https://www.qualys.com/security-advisories/cve-2025-43079"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"assignerShortName": "Qualys",
"cveId": "CVE-2025-43079",
"datePublished": "2025-11-10T17:10:31.066Z",
"dateReserved": "2025-04-16T14:43:29.660Z",
"dateUpdated": "2026-03-18T17:10:59.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4455 (GCVE-0-2025-4455)
Vulnerability from cvelistv5 – Published: 2025-05-09 02:31 – Updated: 2025-05-09 03:33
VLAI
Title
Patch My PC Home Updater System.IO uncontrolled search path
Summary
A vulnerability was found in Patch My PC Home Updater up to 5.1.3.0. It has been rated as critical. This issue affects some unknown processing in the library advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.308069 | vdb-entry |
| https://vuldb.com/?ctiid.308069 | signaturepermissions-required |
| https://vuldb.com/?submit.562440 | third-party-advisory |
| https://gist.github.com/shellkraft/d7db265b53115d… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Patch My PC | Home Updater |
Affected:
5.1.0
Affected: 5.1.1 Affected: 5.1.2 Affected: 5.1.3.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4455",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T03:33:20.223418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T03:33:59.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Home Updater",
"vendor": "Patch My PC",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.1.1"
},
{
"status": "affected",
"version": "5.1.2"
},
{
"status": "affected",
"version": "5.1.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "shellkraft (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Patch My PC Home Updater up to 5.1.3.0. It has been rated as critical. This issue affects some unknown processing in the library advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Patch My PC Home Updater bis 5.1.3.0 ausgemacht. Sie wurde als kritisch eingestuft. Hierbei geht es um eine nicht exakt ausgemachte Funktion in der Bibliothek advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. Durch die Manipulation mit unbekannten Daten kann eine uncontrolled search path-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6,
"vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "Uncontrolled Search Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T02:31:04.290Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-308069 | Patch My PC Home Updater System.IO uncontrolled search path",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.308069"
},
{
"name": "VDB-308069 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.308069"
},
{
"name": "Submit #562440 | Patch My Pc Patch My PC Home Updater \u003c=5.1.3.0 Uncontrolled Search Path",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.562440"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/shellkraft/d7db265b53115d52a4ca5bffe5e9c6e4"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-08T20:57:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Patch My PC Home Updater System.IO uncontrolled search path"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4455",
"datePublished": "2025-05-09T02:31:04.290Z",
"dateReserved": "2025-05-08T18:51:56.627Z",
"dateUpdated": "2025-05-09T03:33:59.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, Implementation
Strategy: Attack Surface Reduction
Description:
- Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
Phase: Implementation
Description:
- When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Phase: Implementation
Description:
- Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Phase: Implementation
Description:
- Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Phase: Implementation
Description:
- Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.