Skip to main content

CVE-2025-5480: CWE-427: Uncontrolled Search Path Element in Action1 Action1

High
VulnerabilityCVE-2025-5480cvecve-2025-5480cwe-427
Published: Fri Jun 06 2025 (06/06/2025, 18:49:18 UTC)
Source: CVE Database V5
Vendor/Project: Action1
Product: Action1

Description

Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26767.

AI-Powered Analysis

AILast updated: 07/08/2025, 11:28:01 UTC

Technical Analysis

CVE-2025-5480 is a local privilege escalation vulnerability affecting the Action1 product, specifically version 5.216.617.1. The root cause of this vulnerability lies in an uncontrolled search path element related to the OpenSSL configuration file used by Action1. The product loads its OpenSSL configuration from an insecure location, which can be manipulated by a local attacker who already has the ability to execute low-privileged code on the system. By placing a malicious OpenSSL configuration file in this unsecured path, the attacker can escalate their privileges to SYSTEM level, allowing arbitrary code execution with the highest privileges on the affected machine. This vulnerability is categorized under CWE-427, which refers to the use of an uncontrolled search path element that can lead to loading malicious files. The CVSS v3.0 base score is 7.8, indicating a high severity level, with attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability was assigned and published by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26767.

Potential Impact

For European organizations using Action1 version 5.216.617.1, this vulnerability poses a significant risk. Since Action1 is a remote endpoint management and security platform, it is often deployed in enterprise environments to manage large numbers of endpoints. An attacker who gains low-privileged code execution on any managed endpoint could leverage this vulnerability to escalate privileges to SYSTEM, potentially compromising the entire endpoint. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within the network. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate data, install persistent malware, or disrupt operations. Given the local attack vector, initial compromise might come from phishing, malicious insider activity, or exploitation of other vulnerabilities. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. European organizations with regulatory requirements around data protection (e.g., GDPR) could face compliance issues and reputational damage if exploited. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation.

Mitigation Recommendations

1. Restrict local access: Limit the number of users with local access to systems running Action1 and enforce strict access controls to reduce the risk of initial low-privileged code execution. 2. Monitor and audit: Implement monitoring for unusual file modifications or creation in directories where OpenSSL configuration files are loaded, and audit privilege escalation attempts. 3. Harden OpenSSL configuration: If possible, configure Action1 to load OpenSSL configuration files from secured, trusted locations with strict permissions to prevent unauthorized replacement or tampering. 4. Apply principle of least privilege: Ensure that users and processes have only the minimum privileges necessary to perform their tasks, reducing the impact of potential exploitation. 5. Network segmentation: Isolate critical systems and management consoles to limit lateral movement opportunities after privilege escalation. 6. Vendor engagement: Engage with Action1 to obtain patches or official guidance as soon as they become available and prioritize patch deployment. 7. Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious local privilege escalation behaviors. 8. Incident response readiness: Prepare incident response plans specifically addressing local privilege escalation scenarios to enable rapid containment and remediation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
zdi
Date Reserved
2025-06-02T19:15:45.334Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 68433b2271f4d251b5d94a34

Added to database: 6/6/2025, 7:01:54 PM

Last enriched: 7/8/2025, 11:28:01 AM

Last updated: 8/14/2025, 5:33:14 AM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats