CVE-2024-6871 is a local privilege escalation vulnerability identified in G DATA Total Security version 25.5.15.21. The root cause is improper permission assignment (CWE-732) on folders related to autostart tasks, which are critical for the software's startup processes. These folders have permissions that allow low-privileged users to modify or replace files, enabling an attacker who already has limited code execution capabilities on the system to escalate their privileges to SYSTEM level. This escalation allows arbitrary code execution with the highest privileges on the affected Windows system. The vulnerability requires the attacker to have initial access to execute code with low privileges but does not require user interaction or network access, as indicated by the CVSS vector (AV:L/AC:H/PR:L/UI:N). The complexity is high due to the need for local access and some skill to exploit the permissions flaw. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-22629 and published on November 22, 2024. No public exploits have been observed in the wild yet, but the high impact on confidentiality, integrity, and availability makes this a critical issue for affected users. The vulnerability affects only the specified version of G DATA Total Security, and no patch links are currently provided, indicating that users must monitor vendor updates closely.

The vulnerability allows an attacker with limited local access to escalate privileges to SYSTEM, the highest level on Windows systems, enabling full control over the affected machine. This can lead to complete compromise of the endpoint, including the ability to disable security controls, access sensitive data, install persistent malware, or pivot to other network resources. The impact spans confidentiality (access to sensitive information), integrity (modification of system files and security settings), and availability (potential system disruption or denial of service). Organizations relying on G DATA Total Security version 25.5.15.21 are at risk of internal or external threat actors exploiting this flaw if they gain initial low-privileged access. This can be particularly damaging in environments with sensitive data or critical infrastructure. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code may be developed rapidly once details are public.

1. Immediately restrict permissions on autostart task folders related to G DATA Total Security to prevent unauthorized modification. 2. Monitor and audit these folders for unexpected changes or additions. 3. Limit local user privileges to the minimum necessary to reduce the chance of initial low-privileged code execution. 4. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect suspicious activities related to privilege escalation attempts. 5. Regularly update and patch G DATA Total Security once the vendor releases a fix addressing this vulnerability. 6. Implement network segmentation to limit lateral movement if a system is compromised. 7. Educate users about the risks of executing untrusted code locally to reduce the likelihood of initial access. 8. Use system hardening best practices to reduce attack surface, including disabling unnecessary autostart entries and services.