CVE-2024-22002 is a vulnerability identified in CORSAIR iCUE version 5.9.105, specifically involving the iCUE Murals feature on Windows platforms. The flaw allows unprivileged local users to insert arbitrary DLL files into the cuepkg-1.2.6 subdirectory within the installation directory. This insertion capability can lead to DLL hijacking or injection attacks, enabling the attacker to execute arbitrary code with elevated privileges. The vulnerability arises from insufficient access controls on the installation directory's subfolders, permitting unauthorized write operations by non-administrative users. The CVSS v3.1 base score is 7.8, reflecting high severity due to the combination of local attack vector, low attack complexity, required privileges, and no user interaction. The impact includes potential full compromise of confidentiality, integrity, and availability of affected systems. Although no public exploits have been reported yet, the vulnerability represents a significant risk, especially in environments where multiple users share a system or where local access can be gained through other means. The CWE classification is CWE-200 (Exposure of Sensitive Information), indicating that the vulnerability may also allow unauthorized disclosure of information through DLL manipulation. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The vulnerability allows local attackers to execute arbitrary code with elevated privileges by injecting malicious DLLs into the CORSAIR iCUE installation directory. This can lead to full system compromise, including unauthorized access to sensitive data, modification or destruction of system files, and disruption of system availability. Organizations using CORSAIR iCUE software on Windows, particularly in multi-user environments or shared systems, face increased risk of insider threats or lateral movement by attackers who gain local access. The high severity score reflects the broad impact on confidentiality, integrity, and availability. Although exploitation requires local access, the ease of DLL injection and lack of user interaction make it a potent vector for privilege escalation and persistence. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability is likely to attract attacker interest due to the popularity of CORSAIR products among gamers and professionals. Failure to address this vulnerability could result in targeted attacks against organizations relying on CORSAIR iCUE for device management and customization.

1. Immediately restrict write permissions on the cuepkg-1.2.6 subdirectory and the entire CORSAIR iCUE installation directory to administrative users only, preventing unprivileged users from inserting DLL files. 2. Monitor the installation directory for unauthorized file changes or additions, using file integrity monitoring tools to detect suspicious DLL insertions. 3. Isolate systems running CORSAIR iCUE to minimize local access by untrusted users, especially in shared or multi-user environments. 4. Employ application whitelisting to prevent execution of unauthorized DLLs or code within the iCUE context. 5. Regularly check for and apply official patches or updates from CORSAIR once available to remediate the vulnerability. 6. Educate users about the risks of local privilege escalation and enforce strict local user account management policies. 7. Consider temporarily uninstalling or disabling the iCUE Murals feature if it is not essential, reducing the attack surface until a patch is released.