CVE-2024-6147 is a local privilege escalation vulnerability identified in Poly Plantronics Hub version 3.24.2 Build 36336, specifically within the Spokes Update Service component. The root cause is an improper link resolution before file access, categorized under CWE-59 ('Improper Link Resolution Before File Access'). This flaw allows a local attacker who already has the ability to execute low-privileged code on the system to create a symbolic link (symlink) that the Spokes Update Service follows improperly. By doing so, the attacker can trick the service into deleting arbitrary files, which can be leveraged to escalate privileges. The escalation occurs because the service runs with SYSTEM-level privileges, and by manipulating file operations through symlinks, the attacker can execute arbitrary code in the SYSTEM context. Exploitation does not require user interaction but does require prior local code execution capability, such as through another vulnerability or limited user access. The vulnerability was assigned CVE-2024-6147 and has a CVSS v3.0 base score of 7.8, reflecting high severity due to its impact on confidentiality, integrity, and availability. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-18271. No patches or exploit code are currently publicly available, but the risk remains significant given the potential for full system compromise.

The impact of CVE-2024-6147 is substantial for organizations using the affected Poly Plantronics Hub version. Successful exploitation allows an attacker with limited local access to escalate privileges to SYSTEM level, effectively gaining full control over the affected machine. This can lead to unauthorized access to sensitive data, installation of persistent malware, disruption of services, and lateral movement within enterprise networks. Since Plantronics Hub is commonly used in corporate environments for managing audio devices and communications, compromised systems could undermine the security of communication infrastructure. The vulnerability’s requirement for local code execution limits remote exploitation but does not eliminate risk, especially in environments where attackers can gain initial footholds through phishing, malware, or insider threats. The absence of known exploits in the wild currently reduces immediate risk, but the high severity score and potential impact necessitate urgent mitigation to prevent future attacks.

To mitigate CVE-2024-6147, organizations should first verify if they are running the affected Plantronics Hub version 3.24.2 Build 36336 and plan to upgrade to a patched version once available from Poly. In the absence of an official patch, implement the following specific mitigations: 1) Restrict local user permissions to prevent untrusted users from executing code or creating symbolic links in directories accessed by the Spokes Update Service. 2) Employ application whitelisting and endpoint protection to detect and block unauthorized symbolic link creation or suspicious file deletion activities. 3) Monitor logs for unusual file system operations related to the Spokes Update Service. 4) Harden the update service by running it with the least privileges necessary and isolating it from user-writable directories. 5) Use filesystem permissions and access control lists (ACLs) to prevent unauthorized modification of files targeted by the service. 6) Educate users and administrators about the risk of local privilege escalation and the importance of maintaining strict access controls. These steps reduce the attack surface and limit the ability of attackers to exploit the vulnerability even if they gain low-level access.