CVE-2024-9766 is a local privilege escalation vulnerability identified in the WTabletServicePro component of Wacom Center version 6.4.6.5001. The vulnerability stems from improper link resolution before file access (CWE-59), commonly known as 'link following'. Specifically, the WTabletServicePro process does not securely handle symbolic links when creating files, allowing an attacker who already has the ability to execute low-privileged code on the system to create a symbolic link that points to an arbitrary file location. When the service follows this link, it inadvertently writes or creates files at locations that can lead to privilege escalation. By exploiting this flaw, an attacker can execute arbitrary code with SYSTEM-level privileges, effectively gaining full control over the affected machine. The vulnerability requires local access and low-privileged code execution as a prerequisite, but does not require user interaction. The CVSS v3.0 base score of 7.8 reflects a high severity, with attack vector local, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-24304 and was publicly disclosed on November 22, 2024. No patches or updates are currently linked, and no known exploits have been observed in the wild, but the potential for exploitation remains significant due to the nature of the flaw and the privileges gained upon successful exploitation.

The impact of CVE-2024-9766 is substantial for organizations using Wacom Center version 6.4.6.5001. Successful exploitation allows attackers with limited local access to escalate privileges to SYSTEM level, enabling full control over the affected system. This can lead to unauthorized access to sensitive data, installation of persistent malware, disabling of security controls, and lateral movement within networks. The compromise of SYSTEM privileges can also undermine the integrity and availability of critical systems, potentially disrupting business operations. Organizations relying on Wacom Center in environments with multiple users or where local access is possible (e.g., shared workstations, corporate laptops) are particularly at risk. Although exploitation requires initial low-privileged code execution, this prerequisite is often achievable through other vulnerabilities or social engineering, making this vulnerability a critical component in multi-stage attacks.

To mitigate CVE-2024-9766, organizations should: 1) Monitor for updates or patches from Wacom and apply them promptly once available. 2) Restrict local access to systems running Wacom Center to trusted users only, minimizing opportunities for low-privileged code execution. 3) Employ application whitelisting and endpoint protection solutions to prevent unauthorized code execution at low privilege levels. 4) Use file system permissions and access control lists (ACLs) to limit the ability of users to create symbolic links or modify files in directories accessed by WTabletServicePro. 5) Conduct regular audits of local user privileges and remove unnecessary permissions. 6) Monitor system logs for suspicious symbolic link creation or unusual file operations related to WTabletServicePro. 7) Consider isolating or sandboxing Wacom Center processes where feasible to limit the impact of potential exploitation. 8) Educate users about the risks of executing untrusted code locally and enforce strict policies on software installation and execution.