CVE-2025-6241: SysTrack LsiAgent.exe Vulnerable to DLL Hijacking

A critical vulnerability, identified as CVE-2025-6241, has been discovered in LsiAgent.exe, a core component of Lakeside Software's SysTrack. This flaw allows a local attacker to escalate their privileges to SYSTEM by exploiting a DLL hijacking vulnerability.

Vulnerability Details

CVE ID: CVE-2025-6241
Description: LsiAgent.exe attempts to load DLL files that are not included in the default SysTrack installation. If a user-writable directory is present in the SYSTEM PATH environment variable, an attacker can place a malicious DLL in that directory. Upon service start or restart, this malicious DLL will be loaded and executed with NT AUTHORITY\SYSTEM privileges, leading to local elevation of privileges.
CVSS Score and Vector: The CVE currently lacks a CVSS score as it is recently received. However, a local privilege escalation vulnerability typically receives a HIGH score due to the potential impact on system integrity. A projected CVSS vector might look like: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the vulnerability is exploitable locally with low attack complexity, no user interaction, and results in complete compromise of confidentiality, integrity, and availability.
Exploit Requirements: The attacker needs local access to the system and the ability to write files to a directory listed in the SYSTEM PATH environment variable.
Affected Vendor, Product, Version: Lakeside Software SysTrack. Specific affected versions are not specified, but the vulnerability is addressed in agent version 10.10.0 and later.
CWE: CWE-427 - Uncontrolled Search Path Element. This means the application uses a predictable path to find required resources (like DLLs), and an attacker can influence that path to point to their own malicious resources.

Timeline of Events

2025-07-27: CVE ID assigned and vulnerability reported.

Exploitability & Real-World Risk

DLL hijacking is a well-understood attack vector. If a user has the ability to add a directory they control to the system's PATH variable (which is sometimes possible), they can easily exploit this vulnerability. Even without modifying the PATH, if a directory in the default PATH is writable, it can be exploited. The real-world risk is significant, as successful exploitation grants the attacker full control over the affected system.

Recommendations

Patch: Upgrade SysTrack agents to version 10.10.0 or later, as this hotfix addresses the DLL hijacking vulnerability.
Best Practices: Review and harden the SYSTEM PATH environment variable to ensure no user-writable directories are included. Implement proper access control measures to prevent unauthorized file writes.

Technical Insight

The LsiAgent.exe executable attempts to load specific DLL files without fully qualifying their paths. Windows searches for these DLLs in a predefined order, including directories listed in the SYSTEM PATH. By placing a malicious DLL with the same name as one of the missing DLLs in a user-writable directory that's also in the SYSTEM PATH, an attacker can trick LsiAgent.exe into loading their malicious code, effectively taking over the process with elevated privileges.

Credit to Researcher(s)

Vulnerability reported to CISA by an anonymous researcher.

References

Lakeside Software Release Notes

CVE-2025-6241: SysTrack LsiAgent.exe Vulnerable to DLL Hijacking, Leading to Local Privilege Escalation

CVE-2025-6241: SysTrack LsiAgent.exe Vulnerable to DLL Hijacking

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form