CVE-2024-10930
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-10930 is an Uncontrolled Search Path Element vulnerability (CWE-427) that enables DLL hijacking, allowing a malicious actor to execute arbitrary code with escalated privileges. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-03-04. It affects software or components detailed in the referenced advisories from CISA and Carrier.
A local attacker with no required privileges can exploit this vulnerability, though it demands low complexity and user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability through arbitrary code execution under escalated privileges.
CISA ICS Advisory ICSA-25-063-01 and Carrier's product security advisories at the provided references outline mitigation strategies and available patches. Security practitioners should consult these sources for specific remediation steps tailored to affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CWE-427 uncontrolled search path directly enables DLL search order hijacking (T1038) for arbitrary code execution; local exploitation with no privileges but escalated privileges matches T1068.