CVE-2025-47422 is a local privilege escalation vulnerability affecting Advanced Installer versions prior to 22.6. The vulnerability arises from an uncontrolled search path element when the installer is executed with SYSTEM privileges in certain configurations. Specifically, Advanced Installer attempts to locate binaries by searching directories that are writable by standard (non-administrative) users. If a required binary is missing, the installer looks for it in these writable locations and, if found, executes it with SYSTEM privileges. This behavior allows a low-privileged attacker to place a malicious binary in one of these writable directories. When the installer runs, it inadvertently executes the attacker-controlled binary with SYSTEM-level privileges, effectively granting the attacker arbitrary code execution at the highest privilege level on the system. This type of vulnerability is particularly dangerous because it bypasses normal privilege boundaries and can be exploited without user interaction once the attacker has local access. The vulnerability does not require network access or authentication beyond local user rights, but it does require the attacker to have the ability to write files to specific directories that the installer searches. No public exploits are known at this time, and no CVSS score has been assigned yet. However, the nature of the vulnerability indicates a critical risk due to the potential for full system compromise.

For European organizations, this vulnerability poses a significant risk, especially in environments where Advanced Installer is used to deploy software with SYSTEM privileges. Successful exploitation could allow attackers to escalate from a low-privileged user account to full SYSTEM control, enabling them to install persistent malware, steal sensitive data, disrupt operations, or move laterally within the network. This is particularly concerning for sectors with strict regulatory requirements such as finance, healthcare, and critical infrastructure, where unauthorized SYSTEM-level access could lead to severe compliance violations and operational disruptions. Additionally, organizations with large numbers of endpoints using Advanced Installer for software deployment may face widespread exposure. The vulnerability could be leveraged by insider threats or attackers who have gained limited access through phishing or other initial compromise vectors. Given the lack of known exploits, the threat may currently be low but could increase rapidly once exploit code becomes available.

Organizations should immediately identify all instances of Advanced Installer in their environment and verify the version in use. Upgrading to version 22.6 or later, where this vulnerability is fixed, is the most effective mitigation. Until patching is possible, organizations should restrict write permissions on directories that Advanced Installer searches for binaries, ensuring that standard users cannot place executable files in these locations. Implementing application whitelisting and endpoint protection solutions that monitor and block unauthorized execution of binaries can provide additional layers of defense. It is also advisable to audit and monitor installer execution logs for unusual activity indicative of exploitation attempts. Network segmentation and least privilege principles should be enforced to limit the impact of any local compromise. Finally, educating users about the risks of local privilege escalation and maintaining robust endpoint security hygiene will reduce the likelihood of successful exploitation.