CVE-2024-9491

High

Published: 24 January 2025

Published

24 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0008 22.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

DLL hijacking vulnerabilities, caused by an uncontrolled search path in Configuration Wizard 2 installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.

Security Summary

CVE-2024-9491 is a DLL hijacking vulnerability stemming from an uncontrolled search path in the Configuration Wizard 2 installer, associated with Silicon Labs software. This issue, classified under CWE-427, enables privilege escalation and arbitrary code execution when the affected installer is executed. It carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-01-24.

The vulnerability can be exploited by a local attacker with no required privileges who tricks a user into running the impacted installer, such as through social engineering. Successful exploitation allows the attacker to achieve privilege escalation and execute arbitrary code with elevated permissions due to the scope change from user interaction.

Mitigation details are outlined in the Silicon Labs community advisory at https://community.silabs.com/068Vm00000JUQwd.

Details

CWE(s): CWE-427

References

https://community.silabs.com/068Vm00000JUQwd
product-security@silabs.com