CVE-2024-27674 is a local privilege escalation vulnerability affecting Macro Expert software up to version 4.9.4. The core issue is improper access control on the installation directory "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert", where the BUILTIN\Users group is granted modify (M) permissions with object inheritance (OI) and container inheritance (CI). This permission setting allows any unprivileged user to replace or modify the MacroService.exe binary. Since MacroService.exe runs with SYSTEM privileges, an attacker can escalate their privileges by substituting this binary with a malicious executable, effectively gaining SYSTEM-level control over the affected machine. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and has a CVSS v3.1 base score of 7.8, indicating high severity. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), with no user interaction (UI:N) needed. The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches or known exploits have been reported yet, but the vulnerability poses a significant risk due to the ease of exploitation and the critical level of privilege gained. Organizations using Macro Expert should urgently review folder permissions and consider restricting access to trusted administrators only.

The vulnerability allows unprivileged users to gain SYSTEM-level privileges on affected Windows systems running Macro Expert up to version 4.9.4. This escalation can lead to full system compromise, including unauthorized access to sensitive data, installation of persistent malware, disabling security controls, and disruption of critical services. The high integrity and availability impact means attackers can modify or delete system files and services, potentially causing system instability or denial of service. Since the vulnerability requires only local access, insider threats or attackers who have gained limited footholds can leverage this flaw to fully control the system. This risk is particularly severe in enterprise environments where Macro Expert is used for automation or scripting tasks, as attackers could pivot to other network resources after gaining SYSTEM privileges. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's characteristics make it a prime target for future exploitation once weaponized.

1. Immediately audit and restrict NTFS permissions on the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder to remove modify (M) permissions from the BUILTIN\Users group. Only trusted administrators should have write access. 2. Implement application whitelisting or code integrity policies (e.g., Windows Defender Application Control) to prevent unauthorized binary replacement. 3. Monitor the Macro Expert installation directory for unexpected file changes using file integrity monitoring tools. 4. Limit local user privileges and enforce the principle of least privilege to reduce the number of users who can access the affected folder. 5. If possible, isolate systems running Macro Expert from untrusted users or networks to reduce exposure. 6. Engage with the vendor for patches or updates addressing this vulnerability and apply them promptly once available. 7. Educate system administrators and users about the risks of local privilege escalation and the importance of secure file permissions. 8. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts.