CVE-2024-39708 is a vulnerability identified in the Agent component of Delinea Privilege Manager (previously Thycotic Privilege Manager) on Windows platforms, affecting versions before 12.0.1096. The issue arises from the agent's handling of DLL files in temporary directories associated with .NET Shadow Copies. A non-administrator user can exploit this by copying a specially crafted DLL into these temporary directories. When the core agent service loads this DLL, it executes the malicious code with elevated privileges, resulting in privilege escalation. This vulnerability is classified under CWE-427, which involves unsafe dynamic library loading, allowing attackers to influence the code executed by a privileged process. The attack vector requires local access with low privileges and does not require user interaction, but the attack complexity is high due to the need to place the DLL in a specific temporary directory. The CVSS v3.1 score is 7.0, reflecting high impact on confidentiality, integrity, and availability, with attack vector local, attack complexity high, privileges required low, and no user interaction. No public exploits have been reported yet, but the vulnerability poses a significant risk to environments relying on Delinea Privilege Manager for privilege management and endpoint security.

The vulnerability allows an attacker with low-level local access to escalate privileges to a higher level, potentially SYSTEM or administrator privileges, depending on the agent service context. This can lead to full system compromise, unauthorized access to sensitive data, and the ability to disable or manipulate security controls managed by Delinea Privilege Manager. Organizations relying on this product for privileged access management could see their security posture severely degraded, enabling lateral movement, persistence, and data exfiltration. The impact spans confidentiality, integrity, and availability, as attackers can gain unauthorized control and disrupt operations. Since the agent runs with elevated privileges, exploitation could undermine the entire endpoint security framework. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability is likely to attract attacker interest given the privileged context and widespread use of the product in enterprise environments.

1. Immediately monitor for updates from Delinea and apply patches or upgrades to version 12.0.1096 or later once available. 2. Until patched, restrict write permissions to temporary directories used by .NET Shadow Copies to prevent unauthorized DLL placement by non-administrators. 3. Implement application whitelisting and DLL loading restrictions to ensure only trusted DLLs are loaded by the agent service. 4. Employ endpoint detection and response (EDR) tools to monitor for suspicious DLL loading behaviors and privilege escalation attempts. 5. Conduct regular audits of permissions on temporary directories and shadow copy locations to detect and remediate misconfigurations. 6. Limit local user privileges and enforce the principle of least privilege to reduce the attack surface. 7. Consider isolating or segmenting systems running Delinea Privilege Manager agents to contain potential compromises. 8. Educate system administrators about this vulnerability and encourage vigilance for unusual system behaviors or logs indicating DLL hijacking attempts.