CVE-2024-31498 is a privilege escalation vulnerability identified in Yubico's YubiKey Manager GUI (ykman-gui) for Windows platforms prior to version 1.2.6. The vulnerability arises due to improper handling of browser window elevation when the default browser is not Microsoft Edge. Specifically, when the application attempts to open browser windows, these windows can launch with Administrator privileges unintentionally. This behavior allows a user or process with limited privileges to execute code or commands with elevated Administrator rights, bypassing intended access controls. The vulnerability is categorized under CWE-269 (Improper Privilege Management). The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. The scope remains unchanged, but the vulnerability requires some privileges to exploit (PR:L). No public exploits or active exploitation have been reported to date. The issue is resolved in YubiKey Manager GUI version 1.2.6 and later, where proper privilege handling and browser invocation methods have been corrected to prevent unauthorized elevation.

This vulnerability allows an attacker with limited user privileges on a Windows system running vulnerable versions of YubiKey Manager GUI to escalate their privileges to Administrator. Such elevation can lead to full system compromise, including unauthorized access to sensitive data, installation of persistent malware, disabling security controls, and disruption of system availability. Organizations relying on YubiKey Manager GUI for managing hardware authentication tokens may face increased risk of insider threats or lateral movement by attackers who gain initial footholds with limited privileges. The impact is particularly severe in environments where YubiKey devices are used for critical authentication processes, as compromise of the management tool can undermine overall security posture. The lack of required user interaction and low attack complexity increase the risk of exploitation if an attacker gains initial access. Although no known exploits are currently active, the high CVSS score indicates that successful exploitation would have serious consequences.

Organizations should immediately upgrade YubiKey Manager GUI to version 1.2.6 or later, where this privilege escalation vulnerability is addressed. Until patching is possible, restrict access to systems running vulnerable versions to trusted users only and monitor for unusual privilege escalation attempts. Implement application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous process launches with elevated privileges. Review and enforce least privilege principles to limit the number of users with administrative rights. Additionally, configure default browsers to Microsoft Edge where feasible, as the vulnerability specifically arises when Edge is not used. Conduct regular audits of privilege assignments and monitor logs for suspicious activity related to YubiKey Manager GUI or browser processes. Educate users about the risks of running untrusted applications with elevated privileges and maintain up-to-date antivirus and endpoint protection.