CVE-2024-9497

High

Published: 24 January 2025

Published

24 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 1.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress 4 SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.

Security Summary

CVE-2024-9497 is a DLL hijacking vulnerability stemming from an uncontrolled search path in the USBXpress 4 SDK installer from Silicon Labs. This issue, classified under CWE-427, affects systems where the impacted installer is executed and carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by placing a malicious DLL in a directory prioritized by the installer's search path ahead of secure locations. Exploitation requires user interaction to run the installer, enabling privilege escalation and arbitrary code execution with high impacts on confidentiality, integrity, and availability, along with a change in scope.

Silicon Labs has published details on this vulnerability in their community advisory at https://community.silabs.com/068Vm00000JUQwd.

Details

CWE(s): CWE-427

References

https://community.silabs.com/068Vm00000JUQwd
product-security@silabs.com