CVE-2023-45159 is a high-severity vulnerability classified under CWE-59 (Improper Link Resolution Before File Access, also known as 'Link Following') affecting the 1E Client software. The vulnerability arises because the 1E Client installer, when running on Windows, can be tricked by a non-privileged user into deleting arbitrary protected files or directories. This is achieved by the attacker creating a symbolic link (symlink) or Windows junction that points to a protected directory. When the 1E Client service starts, it follows this link and clears the target directory, resulting in unauthorized deletion of files that should be protected. The vulnerability does not require elevated privileges or user interaction, making it easier to exploit in environments where unprivileged users have access to the system. The vendor has released hotfixes for versions 8.1, 8.4, and 9.0, as well as for SaaS customers, which mitigate the issue by forcing the 1E Client to detect symbolic links or junctions and refuse to use those paths. Instead, it creates a new path involving a random GUID to prevent link following attacks. The CVSS v3.1 base score is 8.4, reflecting high impact on confidentiality, integrity, and availability due to the potential for arbitrary file deletion. No known exploits are reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a significant risk if left unpatched.

For European organizations using the 1E Client, this vulnerability poses a serious risk to system stability and data integrity. The arbitrary deletion of protected files could lead to service disruptions, loss of critical configuration or operational data, and potential downtime. This is especially impactful in enterprise environments where 1E Client is used for endpoint management, software deployment, or patch management, as the deletion of files could interrupt these essential functions. Confidentiality is also at risk if sensitive files are deleted or replaced. The vulnerability could be exploited by insider threats or malware running with limited privileges, amplifying the risk in environments with multiple users or shared systems. Given the high CVSS score and the lack of required privileges or user interaction, the threat could propagate quickly if attackers gain initial access. European organizations with strict data protection regulations (e.g., GDPR) may face compliance issues if data loss or service interruptions occur due to this vulnerability.

European organizations should immediately apply the vendor-provided hotfixes corresponding to their 1E Client version (Q23097 for v8.1, Q23105 for v8.4, Q23115 for v9.0, and Q23121 for SaaS customers with 1EClient v23.7). Beyond patching, organizations should audit and restrict the ability of non-privileged users to create symbolic links or junctions on systems running the 1E Client, using Windows Group Policy or local security policies. Implementing strict file system permissions to limit who can create or modify links in directories monitored or used by the 1E Client is critical. Monitoring and alerting for unusual symbolic link creation or unexpected file deletions in protected directories can provide early detection of exploitation attempts. Additionally, organizations should review and harden endpoint security controls to prevent unauthorized local access and consider application whitelisting to restrict execution of unauthorized installers or scripts that could exploit this vulnerability.