CVE-2024-4454 is a local privilege escalation vulnerability identified in WithSecure Elements Endpoint Protection version 23.9. The flaw is categorized under CWE-59, which involves improper link resolution before file access, commonly known as 'link following.' The vulnerability exists within the WithSecure plugin hosting service, where the service improperly handles symbolic links. An attacker with local access can create a symbolic link that the plugin hosting service follows incorrectly, leading to unauthorized file creation or modification. This manipulation allows the attacker to escalate privileges from a low-privileged user to SYSTEM-level privileges by executing arbitrary code in the context of the operating system's highest privilege. Exploitation requires user interaction from an administrator, indicating that an administrator must perform some action that triggers the vulnerable service to follow the malicious symbolic link. The CVSS v3.0 score is 7.3, reflecting high severity due to the combination of local attack vector, low attack complexity, required privileges, and user interaction, with high impact on confidentiality, integrity, and availability. No public exploits or active exploitation campaigns have been reported yet. This vulnerability was assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-23035 and was published on May 22, 2024. The lack of available patches at the time of reporting necessitates immediate attention to mitigate risk.

The impact of CVE-2024-4454 is significant for organizations using WithSecure Elements Endpoint Protection version 23.9. Successful exploitation allows attackers to gain SYSTEM-level privileges, effectively full control over the affected system. This can lead to unauthorized access to sensitive data, disruption of security controls, and potential deployment of further malware or ransomware. Since the vulnerability requires local access and administrator interaction, insider threats or compromised user accounts pose the greatest risk. The ability to execute arbitrary code at SYSTEM level undermines the security posture of endpoint protection itself, potentially disabling or bypassing security mechanisms. Organizations with large deployments of WithSecure Elements, especially in environments where multiple users have local access or where administrators frequently interact with the system, face elevated risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation. The vulnerability could be leveraged in targeted attacks against high-value assets or critical infrastructure where WithSecure Elements is deployed.

1. Monitor WithSecure’s official channels for patches addressing CVE-2024-4454 and apply them promptly once released. 2. Until patches are available, restrict local user permissions to prevent creation of symbolic links or limit local user access on systems running WithSecure Elements. 3. Implement strict administrative policies to minimize unnecessary administrator user interaction with the plugin hosting service or related components. 4. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of privilege escalation attempts. 5. Conduct regular audits of local user accounts and permissions to reduce the attack surface. 6. Educate administrators on the risks of interacting with untrusted files or processes that could trigger the vulnerability. 7. Use system hardening techniques to restrict symbolic link creation and enforce least privilege principles. 8. Monitor logs for suspicious symbolic link creation or file access patterns related to the plugin hosting service. These targeted mitigations go beyond generic advice by focusing on controlling symbolic link abuse, limiting administrator interaction, and preparing for patch deployment.