CYRISMA Agent Privilege Escalation Vulnerability via DLL Hijacking
Vulnerability
A DLL hijacking vulnerability has been identified in CYRISMA Agent versions prior to 444. This vulnerability allows local users to escalate privileges and execute arbitrary code by exploiting insecure folder and file permissions. The issue arises because low-privileged users can replace certain binaries called by the 'Cyrisma_Agent' service, which runs with 'NT AUTHORITY\SYSTEM' privileges.
Impact
Exploitation of this vulnerability allows for unauthorized privilege escalation, with executed code running in the context of the system user.
Reproduction
To reproduce this vulnerability, install CYRISMA Agent version 2.5 or earlier on a Windows machine. After installation, the 'Cyrisma_Agent' service will be created, running as 'Local System'. Low-privileged users can then replace the 'DataSpotliteAgent.exe' binary with an arbitrary executable. When the service is restarted, the replacement binary will be executed with system privileges.
Remediation
Users should update to CYRISMA Agent version 444 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.