CVE-2025-6241 is a local privilege escalation vulnerability affecting the LsiAgent.exe component of Lakeside Software's SyStrack product, specifically version 10.05.0027. The vulnerability arises from an uncontrolled search path element (CWE-427) in the way LsiAgent.exe attempts to load certain DLL files. These DLLs are not included in the default installation, which means the executable relies on the Windows dynamic-link library (DLL) search order to locate them. If a directory that is writable by a non-privileged user is included in the SYSTEM PATH environment variable, an attacker can place a malicious DLL with arbitrary code in that directory. When the SyStrack service starts or restarts, it loads the malicious DLL under the context of NT AUTHORITY\SYSTEM, the highest privilege level on Windows systems. This results in the attacker gaining local SYSTEM-level privileges without requiring authentication or user interaction beyond placing the DLL. The vulnerability exploits the default Windows DLL search order, which prioritizes directories in the PATH environment variable, including potentially user-writable locations. No public exploits are currently known in the wild, and no official patches or mitigations have been published yet. The vulnerability was reserved in June 2025 and published in July 2025, indicating recent discovery and disclosure. The lack of a CVSS score requires an independent severity assessment based on the technical details.

For European organizations, this vulnerability poses a significant risk, particularly in environments where SyStrack is deployed for endpoint monitoring and analytics. Successful exploitation allows an attacker with local access to escalate privileges to SYSTEM level, potentially enabling full control over affected endpoints. This can lead to unauthorized access to sensitive data, disruption of endpoint monitoring capabilities, and facilitation of further lateral movement within corporate networks. Given that SyStrack is often used in enterprise environments for performance and security monitoring, compromise of its agent could undermine security visibility and incident response efforts. The vulnerability is especially critical in organizations with shared or poorly controlled endpoint environments where users may have write access to directories included in the system PATH. European organizations in sectors such as finance, manufacturing, healthcare, and government, which rely on endpoint monitoring tools and have strict regulatory compliance requirements (e.g., GDPR), could face severe operational and compliance impacts if exploited.

To mitigate this vulnerability, European organizations should immediately audit the SYSTEM PATH environment variable on all endpoints running SyStrack 10.05.0027 to ensure no user-writable directories are included. Remove or restrict write permissions on any such directories to prevent unauthorized DLL placement. Employ application whitelisting or endpoint protection solutions that monitor and block unauthorized DLL loading or modifications in critical system paths. Until an official patch is released by Lakeside Software, consider isolating or restricting the use of SyStrack agents on endpoints with multiple users or where local users have elevated privileges. Implement strict local user privilege management to minimize the risk of local code execution leading to privilege escalation. Monitor system and security logs for unusual service restarts or DLL load events related to LsiAgent.exe. Engage with Lakeside Software support for updates and apply patches promptly once available. Additionally, educate system administrators and endpoint users about the risks of modifying system environment variables and the importance of maintaining secure directory permissions.