CVE-2025-5480: CWE-427: Uncontrolled Search Path Element in Action1 Action1
Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26767.
AI Analysis
Technical Summary
CVE-2025-5480 is a local privilege escalation vulnerability affecting the Action1 product, specifically version 5.216.617.1. The root cause of this vulnerability lies in an uncontrolled search path element related to the OpenSSL configuration file used by Action1. The product loads its OpenSSL configuration from an insecure location, which can be manipulated by a local attacker who already has the ability to execute low-privileged code on the system. By placing a malicious OpenSSL configuration file in this unsecured path, the attacker can escalate their privileges to SYSTEM level, allowing arbitrary code execution with the highest privileges on the affected machine. This vulnerability is categorized under CWE-427, which refers to the use of an uncontrolled search path element that can lead to loading malicious files. The CVSS v3.0 base score is 7.8, indicating a high severity level, with attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability was assigned and published by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26767.
Potential Impact
For European organizations using Action1 version 5.216.617.1, this vulnerability poses a significant risk. Since Action1 is a remote endpoint management and security platform, it is often deployed in enterprise environments to manage large numbers of endpoints. An attacker who gains low-privileged code execution on any managed endpoint could leverage this vulnerability to escalate privileges to SYSTEM, potentially compromising the entire endpoint. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within the network. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate data, install persistent malware, or disrupt operations. Given the local attack vector, initial compromise might come from phishing, malicious insider activity, or exploitation of other vulnerabilities. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. European organizations with regulatory requirements around data protection (e.g., GDPR) could face compliance issues and reputational damage if exploited. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation.
Mitigation Recommendations
1. Restrict local access: Limit the number of users with local access to systems running Action1 and enforce strict access controls to reduce the risk of initial low-privileged code execution. 2. Monitor and audit: Implement monitoring for unusual file modifications or creation in directories where OpenSSL configuration files are loaded, and audit privilege escalation attempts. 3. Harden OpenSSL configuration: If possible, configure Action1 to load OpenSSL configuration files from secured, trusted locations with strict permissions to prevent unauthorized replacement or tampering. 4. Apply principle of least privilege: Ensure that users and processes have only the minimum privileges necessary to perform their tasks, reducing the impact of potential exploitation. 5. Network segmentation: Isolate critical systems and management consoles to limit lateral movement opportunities after privilege escalation. 6. Vendor engagement: Engage with Action1 to obtain patches or official guidance as soon as they become available and prioritize patch deployment. 7. Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious local privilege escalation behaviors. 8. Incident response readiness: Prepare incident response plans specifically addressing local privilege escalation scenarios to enable rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-5480: CWE-427: Uncontrolled Search Path Element in Action1 Action1
Description
Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26767.
AI-Powered Analysis
Technical Analysis
CVE-2025-5480 is a local privilege escalation vulnerability affecting the Action1 product, specifically version 5.216.617.1. The root cause of this vulnerability lies in an uncontrolled search path element related to the OpenSSL configuration file used by Action1. The product loads its OpenSSL configuration from an insecure location, which can be manipulated by a local attacker who already has the ability to execute low-privileged code on the system. By placing a malicious OpenSSL configuration file in this unsecured path, the attacker can escalate their privileges to SYSTEM level, allowing arbitrary code execution with the highest privileges on the affected machine. This vulnerability is categorized under CWE-427, which refers to the use of an uncontrolled search path element that can lead to loading malicious files. The CVSS v3.0 base score is 7.8, indicating a high severity level, with attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability was assigned and published by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-26767.
Potential Impact
For European organizations using Action1 version 5.216.617.1, this vulnerability poses a significant risk. Since Action1 is a remote endpoint management and security platform, it is often deployed in enterprise environments to manage large numbers of endpoints. An attacker who gains low-privileged code execution on any managed endpoint could leverage this vulnerability to escalate privileges to SYSTEM, potentially compromising the entire endpoint. This could lead to unauthorized access to sensitive data, disruption of services, and lateral movement within the network. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate data, install persistent malware, or disrupt operations. Given the local attack vector, initial compromise might come from phishing, malicious insider activity, or exploitation of other vulnerabilities. The lack of user interaction requirement increases the risk of automated exploitation once local access is obtained. European organizations with regulatory requirements around data protection (e.g., GDPR) could face compliance issues and reputational damage if exploited. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation.
Mitigation Recommendations
1. Restrict local access: Limit the number of users with local access to systems running Action1 and enforce strict access controls to reduce the risk of initial low-privileged code execution. 2. Monitor and audit: Implement monitoring for unusual file modifications or creation in directories where OpenSSL configuration files are loaded, and audit privilege escalation attempts. 3. Harden OpenSSL configuration: If possible, configure Action1 to load OpenSSL configuration files from secured, trusted locations with strict permissions to prevent unauthorized replacement or tampering. 4. Apply principle of least privilege: Ensure that users and processes have only the minimum privileges necessary to perform their tasks, reducing the impact of potential exploitation. 5. Network segmentation: Isolate critical systems and management consoles to limit lateral movement opportunities after privilege escalation. 6. Vendor engagement: Engage with Action1 to obtain patches or official guidance as soon as they become available and prioritize patch deployment. 7. Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious local privilege escalation behaviors. 8. Incident response readiness: Prepare incident response plans specifically addressing local privilege escalation scenarios to enable rapid containment and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- zdi
- Date Reserved
- 2025-06-02T19:15:45.334Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 68433b2271f4d251b5d94a34
Added to database: 6/6/2025, 7:01:54 PM
Last enriched: 7/8/2025, 11:28:01 AM
Last updated: 8/7/2025, 3:47:26 PM
Views: 21
Related Threats
CVE-2025-8938: Backdoor in TOTOLINK N350R
MediumCVE-2025-8937: Command Injection in TOTOLINK N350R
MediumCVE-2025-8936: SQL Injection in 1000 Projects Sales Management System
MediumCVE-2025-5942: CWE-122 Heap-based Buffer Overflow in Netskope Netskope Client
MediumCVE-2025-5941: CWE-125 Out-of-Bounds Read in Netskope Netskope Client
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.