CVE-2025-6241 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Lakeside Software's SysTrack product, specifically version 10.05.0027. The vulnerability arises from the way the LsiAgent.exe component attempts to load several DLL files that are not included in the default installation package. Due to this behavior, if a directory that is writable by a non-privileged user exists in the SYSTEM PATH environment variable, an attacker can place a malicious DLL in that directory. When the SysTrack service starts or restarts, Windows' default DLL search order causes the malicious DLL to be loaded and executed in the context of the NT AUTHORITY\SYSTEM account, effectively granting local privilege escalation to the attacker. This exploit requires local access and user interaction to trigger the service restart. The vulnerability has a CVSS v3.1 base score of 4.4, indicating medium severity, with low impact on confidentiality and integrity and no impact on availability. The attack vector is local, with low attack complexity, no privileges required initially, but requires user interaction. No known public exploits have been reported yet, and no patches have been published at the time of disclosure.

For European organizations, this vulnerability poses a risk primarily in environments where SysTrack 10.05.0027 is deployed and where local user accounts have write permissions to directories included in the SYSTEM PATH variable. Successful exploitation leads to local privilege escalation, allowing an attacker with limited access to gain SYSTEM-level privileges. This can facilitate further malicious activities such as installing persistent malware, disabling security controls, or accessing sensitive data. While the vulnerability does not directly allow remote exploitation, the impact is significant in multi-user or shared environments, such as corporate desktops or terminal servers, where unprivileged users might exist. Given the widespread use of SysTrack for endpoint monitoring and analytics in enterprise environments, exploitation could undermine endpoint security and trustworthiness of monitoring data. However, the lack of remote exploitability and requirement for user interaction somewhat limits the threat scope. Organizations with strict endpoint security policies and controlled user permissions are less likely to be impacted.

To mitigate this vulnerability, European organizations should first audit the SYSTEM PATH environment variable on all endpoints running SysTrack to ensure no user-writable directories are included. Remove or restrict write permissions on any such directories to prevent unauthorized DLL placement. Additionally, implement application whitelisting or code integrity policies (e.g., Windows Defender Application Control or AppLocker) to block execution of unauthorized DLLs. Organizations should monitor service restarts of SysTrack and investigate any unexpected restarts or DLL loading behavior. Until an official patch is released, consider restricting local user permissions further and educating users about the risks of executing or triggering service restarts. Employ endpoint detection and response (EDR) solutions to detect anomalous DLL loads or privilege escalation attempts. Finally, maintain a robust patch management process to apply updates from Lakeside Software promptly once available.