CVE-2024-9499

CVE-2024-9499 is a DLL hijacking vulnerability caused by an uncontrolled search path in the USBXpress Win 98SE Dev Kit installer. This issue, classified under CWE-427, affects the installer for this development kit from Silicon Labs and can lead to privilege escalation and arbitrary code execution when the impacted installer is executed. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its high severity due to the potential for significant impact with low attack complexity.

A local attacker can exploit this vulnerability by placing a malicious DLL in a directory included in the installer's search path, which is searched before secure locations. Exploitation requires no special privileges (PR:N) but depends on user interaction (UI:R), such as a victim running the installer. Upon success, the attacker achieves privilege escalation and arbitrary code execution with high scope change, compromising confidentiality, integrity, and availability.

Silicon Labs has published details on this vulnerability in their community advisory at https://community.silabs.com/068Vm00000JUQwd, which security practitioners should consult for recommended mitigations and patches.