CVE-2024-9498
Published: 24 January 2025
Description
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Security Summary
CVE-2024-9498 is a DLL hijacking vulnerability (CWE-427) caused by an uncontrolled search path in the USBXpress SDK installer from Silicon Labs. Published on 2025-01-24, it affects users running the impacted installer and carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker with no required privileges can exploit this vulnerability by placing a malicious DLL in a directory included in the installer's search path and inducing a user to execute the installer. This requires user interaction but low complexity, enabling privilege escalation and arbitrary code execution upon DLL loading, with high impacts across confidentiality, integrity, availability, and a change in scope.
Silicon Labs has issued an advisory with further details at https://community.silabs.com/068Vm00000JUQwd, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)