CVE-2024-13759 is a local privilege escalation vulnerability identified in Avira Prime version 1.1.96.2 running on Windows 10 x64 systems. The vulnerability arises from improper link resolution before file access (CWE-59), specifically within the Avira.Spotlight.Service.exe component. This flaw allows a local attacker with limited privileges to exploit arbitrary file deletion mechanisms to escalate their privileges to system-level. The vulnerability is characterized by the software following symbolic or hard links without proper validation, enabling attackers to manipulate file paths and delete critical system or application files. The CVSS v3.1 base score of 7.8 (high severity) reflects the vulnerability's significant impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and the requirement for only limited privileges and no user interaction. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a serious risk if weaponized. The absence of available patches at the time of reporting increases the urgency for mitigation and monitoring.

For European organizations, this vulnerability poses a substantial risk, especially for enterprises and institutions relying on Avira Prime for endpoint protection. Successful exploitation could allow attackers to gain system-level privileges, potentially leading to full system compromise, unauthorized access to sensitive data, disruption of security services, and the ability to deploy further malware or ransomware. This could severely impact confidentiality, integrity, and availability of critical systems. Given the widespread use of Avira products in Europe, particularly among small and medium-sized enterprises (SMEs) and public sector organizations, the threat could disrupt business operations and erode trust in security infrastructure. Additionally, the vulnerability could be leveraged in targeted attacks against high-value assets or critical infrastructure, amplifying its potential damage.

Organizations should immediately audit their environments to identify installations of Avira Prime, particularly version 1.1.96.2 on Windows 10 x64 systems. Until an official patch is released, it is recommended to restrict local user permissions to the minimum necessary, preventing unprivileged users from accessing or manipulating Avira service files. Employ application whitelisting and file integrity monitoring to detect unauthorized changes to Avira.Spotlight.Service.exe and related files. Consider isolating systems running Avira Prime in segmented network zones to limit lateral movement in case of compromise. Monitor system logs and security alerts for unusual file deletion activities or privilege escalations. Engage with Avira support channels for updates on patches or workarounds. Additionally, implement strict symbolic link and file system access policies via group policy or endpoint management tools to reduce the risk of link-following exploitation.