CVE-2024-7240 is a high-severity local privilege escalation vulnerability affecting F-Secure Total version 19.2, specifically within the WithSecure plugin hosting service. The root cause is improper link resolution before file access (CWE-59), commonly known as a 'link following' flaw. This vulnerability allows a local attacker to create a symbolic link that the service follows incorrectly, leading to unauthorized file creation or modification. By exploiting this flaw, the attacker can escalate their privileges from a limited user to SYSTEM level, enabling arbitrary code execution with the highest system privileges. Exploitation requires local access and user interaction by an administrator, which limits remote exploitation but still poses a significant risk in environments where multiple users have local access or where administrators might be tricked into interacting with malicious content. The vulnerability was assigned CVE-2024-7240 and has a CVSS v3.0 base score of 7.3, reflecting high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the potential for severe damage exists due to the SYSTEM-level code execution capability. The vulnerability was discovered and reported by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-23005. Currently, no patches or updates have been linked, so mitigation relies on access control and cautious administrative practices.

If exploited, this vulnerability allows attackers with local access to escalate privileges to SYSTEM level, which can lead to full system compromise. This includes the ability to execute arbitrary code, install persistent malware, disable security controls, and access sensitive data. The impact spans confidentiality, integrity, and availability, as attackers can manipulate system files, exfiltrate data, or disrupt services. Organizations relying on F-Secure Total 19.2 for endpoint protection may face significant risk if attackers leverage this flaw to bypass security controls. The requirement for administrator interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk in environments with multiple users or where social engineering is feasible. The absence of known exploits in the wild currently limits immediate threat but the vulnerability's nature makes it a high-priority target for attackers once exploit code becomes available.

1. Restrict local access strictly to trusted users and minimize the number of users with local login rights on systems running F-Secure Total 19.2. 2. Educate administrators and users about the risks of interacting with untrusted files or links, especially in administrative contexts. 3. Monitor and audit local file system changes and symbolic link creations to detect suspicious activity indicative of exploitation attempts. 4. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect and block unauthorized code execution. 5. Maintain up-to-date backups and system snapshots to enable recovery in case of compromise. 6. Stay alert for official patches or updates from F-Secure and apply them promptly once released. 7. Consider deploying additional endpoint protection layers that can detect privilege escalation behaviors. 8. Implement strict privilege separation and use least privilege principles to limit the impact of any local compromise.