CVE-2025-5480 is a local privilege escalation vulnerability affecting the Action1 product, specifically version 5.216.617.1. The root cause of this vulnerability lies in an uncontrolled search path element related to the OpenSSL configuration file used by Action1. The product loads its OpenSSL configuration from an insecure location, which can be manipulated by a local attacker who already has the ability to execute low-privileged code on the system. By placing a malicious OpenSSL configuration file in this unsecured path, the attacker can escalate their privileges to SYSTEM level, allowing arbitrary code execution with the highest privileges on the affected machine. This vulnerability is categorized under CWE-427, which refers to the use of an uncontrolled search path element that can lead to loading malicious files. The CVSS v3.0 base score is 7.8, indicating a high severity level, with attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability was assigned and published by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26767.

For European organizations using Action1 version 5.216.617.1, this vulnerability poses a significant risk. Since Action1 is a remote endpoint management and security platform, it is often deployed in enterprise environments to manage large numbers of endpoints. An attacker who gains low-privileged code execution on any managed endpoint could leverage this vulnerability to escalate privileges to SYSTEM, potentially compromising the entire endpoint. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within the network. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate data, install persistent malware, or disrupt operations. Given the local attack vector, initial compromise might come from phishing, malicious insider activity, or exploitation of other vulnerabilities. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. European organizations with regulatory requirements around data protection (e.g., GDPR) could face compliance issues and reputational damage if exploited. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation.

1. Restrict local access: Limit the number of users with local access to systems running Action1 and enforce strict access controls to reduce the risk of initial low-privileged code execution. 2. Monitor and audit: Implement monitoring for unusual file modifications or creation in directories where OpenSSL configuration files are loaded, and audit privilege escalation attempts. 3. Harden OpenSSL configuration: If possible, configure Action1 to load OpenSSL configuration files from secured, trusted locations with strict permissions to prevent unauthorized replacement or tampering. 4. Apply principle of least privilege: Ensure that users and processes have only the minimum privileges necessary to perform their tasks, reducing the impact of potential exploitation. 5. Network segmentation: Isolate critical systems and management consoles to limit lateral movement opportunities after privilege escalation. 6. Vendor engagement: Engage with Action1 to obtain patches or official guidance as soon as they become available and prioritize patch deployment. 7. Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious local privilege escalation behaviors. 8. Incident response readiness: Prepare incident response plans specifically addressing local privilege escalation scenarios to enable rapid containment and remediation.