CVE-2024-30377 is a local privilege escalation vulnerability affecting G DATA Total Security, version 25.5.17.335. The vulnerability stems from improper link resolution before file access (CWE-59) in the G DATA AntiVirus Scan Server component. An attacker who has already obtained the ability to execute code with low privileges on the target system can create symbolic links (symlinks) that the scan server follows improperly. This leads to the deletion of arbitrary files, which can be leveraged to escalate privileges by manipulating critical system or application files. Ultimately, the attacker can execute arbitrary code in the context of the SYSTEM account, the highest privilege level on Windows systems. The vulnerability requires local access and low-privileged code execution but does not require user interaction. The CVSS v3.0 score is 7.8, reflecting high impact on confidentiality, integrity, and availability due to the potential for full system compromise. The vulnerability was assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-23381 and published on November 22, 2024. No patches have been linked yet, and no known exploits are reported in the wild. The flaw highlights the risks of improper handling of symbolic links in security software components that operate with elevated privileges.

The impact of CVE-2024-30377 is significant for organizations using G DATA Total Security, as it allows local attackers to escalate privileges from a low-privileged user to SYSTEM level. This can lead to full system compromise, including unauthorized access to sensitive data, disruption of security controls, and potential deployment of persistent malware. Because the vulnerability involves deletion of arbitrary files, it could also cause system instability or denial of service. Organizations with multiple users or shared environments are at higher risk, as any user with limited access could exploit this flaw to gain administrative control. The lack of required user interaction and the high privileges gained increase the threat severity. Although no exploits are currently known in the wild, the vulnerability’s nature and high CVSS score suggest it could be targeted by attackers once exploit code becomes available. This poses a risk to confidentiality, integrity, and availability of affected systems.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict local user permissions to the minimum necessary to prevent unauthorized code execution at low privilege levels. 2) Monitor and audit file system changes, especially creation of symbolic links in directories accessed by G DATA AntiVirus Scan Server. 3) Use application whitelisting and endpoint detection and response (EDR) tools to detect suspicious activity related to symbolic link creation or file deletions by the scan server process. 4) Isolate systems running G DATA Total Security to limit local access to trusted users only. 5) Regularly back up critical system and configuration files to enable recovery from potential arbitrary file deletions. 6) Once available, promptly apply vendor patches or updates addressing this vulnerability. 7) Engage with G DATA support or security advisories for updates and recommended configurations that mitigate link-following risks. These targeted actions go beyond generic advice by focusing on controlling local access, monitoring symbolic link usage, and preparing for recovery from file tampering.