CVE-2024-9492
Published: 24 January 2025
Description
DLL hijacking vulnerabilities, caused by an uncontrolled search path in Flash Programming Utility installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Security Summary
CVE-2024-9492 is a DLL hijacking vulnerability stemming from an uncontrolled search path (CWE-427) in the Flash Programming Utility installer from Silicon Labs. Published on January 24, 2025, it carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The flaw allows malicious DLLs to be loaded and executed during installer execution due to improper directory search precedence.
A local attacker can exploit this vulnerability by placing a malicious DLL in a directory that the installer searches before legitimate paths, tricking a user into running the affected installer. No special privileges are required (PR:N), but user interaction is needed (UI:R), such as launching the utility. Successful exploitation enables privilege escalation and arbitrary code execution with high confidentiality, integrity, and availability impacts, with a changed scope (S:C).
Silicon Labs has issued an advisory on their community forum at https://community.silabs.com/068Vm00000JUQwd, which provides details on the vulnerability and recommended mitigations for affected users.
Details
- CWE(s)