CVE-2018-12441

The CorsairService Service in Corsair Utility Engine is installed with insecure default permissions, which allows unprivileged local users to execute arbitrary commands via modification of the CorsairService BINARY_PATH_NAME, leading to complete control of the affected system. The issue exists due to the Windows "Everyone" group being granted SERVICE_ALL_ACCESS permissions to the CorsairService Service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
corsaircorsair_utility_engine
3.2.87
corsaircorsair_utility_engine
3.3.103
corsaircorsair_utility_engine
3.4.95
corsaircorsair_utility_engine
3.6.109
corsaircorsair_utility_engine
3.7.99
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/TheRealJoeDoran/CVE/blob/master/CVE-2018-12441/CVE-2018-12441.txt
https://github.com/TheRealJoeDoran/CVE/blob/master/CVE-2018-12441/CVE-2018-12441.txt