CVE-2025-47422 is a local privilege escalation vulnerability affecting Advanced Installer versions prior to 22.6. The vulnerability arises from an uncontrolled search path element issue, where the installer, when running with SYSTEM privileges under certain configurations, searches for binaries in directories writable by standard users. If the expected binaries are missing, the installer attempts to execute binaries found in these writable locations. This behavior allows a low-privileged attacker to place a malicious binary in a targeted folder that the installer will subsequently execute with SYSTEM privileges, effectively granting the attacker arbitrary code execution at the highest privilege level on the affected system. The vulnerability is classified under CWE-266 (Improper Privilege Management). The CVSS v3.1 base score is 7.5, indicating a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high impact on confidentiality (C:H), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. This vulnerability is critical because it allows privilege escalation from a non-privileged user to SYSTEM level without user interaction, potentially enabling attackers to fully compromise affected Windows systems where Advanced Installer is used.

For European organizations, the impact of CVE-2025-47422 can be significant, especially in environments where Advanced Installer is used for software deployment or system configuration. Successful exploitation allows attackers to escalate privileges from a standard user to SYSTEM, potentially leading to full system compromise, unauthorized access to sensitive data, and the ability to install persistent malware or backdoors. This could disrupt business operations, lead to data breaches, and violate compliance requirements such as GDPR. Organizations relying on automated deployment tools or running Advanced Installer in environments with multiple user privilege levels are particularly at risk. The vulnerability's exploitation does not require user interaction or prior authentication, increasing the risk of automated or opportunistic attacks within compromised internal networks or by malicious insiders.

European organizations should take immediate steps to mitigate this vulnerability. First, they should upgrade Advanced Installer to version 22.6 or later once available, as this will contain the fix for the uncontrolled search path issue. Until a patch is available, organizations should restrict write permissions on directories that Advanced Installer searches for binaries, ensuring that standard users cannot write to these locations. Implementing application whitelisting and restricting execution of unauthorized binaries can also reduce risk. Additionally, monitoring for unusual binary execution patterns and privilege escalation attempts on endpoints can help detect exploitation attempts. Organizations should review deployment configurations to avoid running installers with SYSTEM privileges unnecessarily and consider isolating installation processes to minimize exposure. Finally, educating IT staff about this vulnerability and maintaining strong endpoint security controls will help reduce the attack surface.