CVE-2024-6260 is a local privilege escalation vulnerability identified in Malwarebytes Anti-Malware version 4.6.6. The root cause is improper link resolution before file access, classified under CWE-59. Specifically, the Malwarebytes service improperly handles symbolic links created by a local attacker. By crafting a symbolic link, an attacker can trick the service into deleting arbitrary files, which can be leveraged to escalate privileges from a low-privileged user to SYSTEM level. This escalation allows execution of arbitrary code with the highest system privileges. Exploitation requires the attacker to have initial low-privileged code execution capabilities on the system but does not require user interaction. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-22321 and has a CVSS v3.0 score of 7.0, indicating high severity. The attack vector is local, with high attack complexity and low privileges required. The vulnerability impacts confidentiality, integrity, and availability by enabling full system compromise. No patches were listed at the time of publication, and no known exploits have been observed in the wild. Organizations relying on Malwarebytes Anti-Malware 4.6.6 should monitor for updates and consider interim mitigations to restrict local user capabilities.

The vulnerability allows local attackers to escalate privileges to SYSTEM level, which can lead to complete compromise of affected systems. This includes unauthorized access to sensitive data, modification or deletion of critical files, and the ability to install persistent malware or backdoors. The impact extends to confidentiality, integrity, and availability of the system. Since Malwarebytes Anti-Malware is widely used for endpoint protection, exploitation could undermine the security posture of organizations, potentially allowing attackers to bypass security controls and maintain persistence. The requirement for initial low-privileged code execution limits remote exploitation but does not eliminate risk, especially in environments where local user accounts are shared or compromised. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future active exploitation. Organizations with high-value assets or regulatory requirements face increased risk from this vulnerability.

1. Apply official patches from Malwarebytes as soon as they become available to address CVE-2024-6260. 2. Until patches are released, restrict local user permissions to prevent unauthorized code execution and symbolic link creation in directories monitored or used by Malwarebytes services. 3. Implement application whitelisting and endpoint protection policies to limit execution of untrusted code by low-privileged users. 4. Monitor file system activity for suspicious symbolic link creation or deletion attempts targeting Malwarebytes service files. 5. Use system integrity monitoring tools to detect unauthorized changes to critical files. 6. Enforce the principle of least privilege for all local accounts and disable unnecessary local accounts. 7. Conduct regular audits of local user permissions and group memberships to reduce the attack surface. 8. Educate system administrators and users about the risks of local privilege escalation and the importance of applying security updates promptly.