CVE-2023-3181 is a high-severity vulnerability affecting the Splashtop Software Updater component, specifically the uninst.exe process located in C:\Program Files (x86)\Splashtop\Splashtop Software Updater. This process creates a temporary folder at C:\Windows\Temp~nsu.tmp and copies itself there as Au_.exe. This executable is launched automatically with SYSTEM privileges either upon system reboot or when a standard user initiates an MSI repair using Splashtop Streamer’s Windows Installer. The temporary folder inherits permissions from the parent C:\Windows\Temp directory, which typically allows standard users to write files. This setup introduces a security weakness because Au_.exe is vulnerable to DLL hijacking — a technique where an attacker places a malicious DLL in the same directory as a legitimate executable, causing the executable to load the malicious DLL instead of the intended one. Since standard users can write to the temporary directory, they can place a crafted malicious DLL alongside Au_.exe. When Au_.exe runs with SYSTEM privileges, it will load this malicious DLL, thereby allowing privilege escalation from a standard user to SYSTEM level. This vulnerability is classified under CWE-379 (Creation of Temporary File in Directory with Insecure Permissions), highlighting the risk of insecure temporary file handling. The CVSS 3.1 base score is 7.8 (high), reflecting the vulnerability’s significant impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and the need for only limited privileges (standard user). No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a critical concern for environments using Splashtop software, especially those with multiple user privilege levels and shared systems.

For European organizations, this vulnerability poses a serious risk of privilege escalation on systems running Splashtop Software Updater. An attacker with standard user access—potentially a malicious insider or a compromised low-privilege account—could exploit this flaw to gain SYSTEM-level control. This could lead to full system compromise, unauthorized access to sensitive data, disruption of services, and the ability to deploy further malware or ransomware. Organizations relying on Splashtop for remote access or IT management may face increased risk of lateral movement and persistence by attackers. Given the SYSTEM-level execution, confidentiality, integrity, and availability of affected systems are all at high risk. This is particularly critical for sectors with strict data protection requirements under GDPR, such as finance, healthcare, and government institutions across Europe. The vulnerability also undermines trust in endpoint security and remote management solutions, potentially exposing organizations to regulatory penalties and reputational damage if exploited.

1. Immediate mitigation should include restricting write permissions to the C:\Windows\Temp directory and its subdirectories to prevent standard users from placing malicious DLLs. 2. Implement application whitelisting or code integrity policies (e.g., Windows Defender Application Control) to prevent unauthorized DLLs from loading in the Splashtop updater directory. 3. Monitor and audit the creation and modification of files within C:\Windows\Temp~nsu.tmp and related directories to detect suspicious activity. 4. Where possible, run Splashtop Software Updater and related processes with the least privileges necessary, avoiding SYSTEM-level execution unless absolutely required. 5. Engage with Splashtop for patches or updates addressing this vulnerability; if no patch is available, consider temporarily disabling the updater or replacing it with alternative remote management tools until a fix is released. 6. Educate users and administrators about the risks of privilege escalation and the importance of maintaining strict file system permissions. 7. Employ endpoint detection and response (EDR) solutions to detect DLL hijacking attempts and anomalous process launches involving Au_.exe or similar executables.