CVE-2025-6241 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Lakeside Software's SysTrack product, specifically version 10.05.0027. The issue stems from the LsiAgent.exe component attempting to load several DLL files that are not included in the default installation package. If the SYSTEM PATH environment variable includes a directory writable by a non-privileged user, an attacker can place a malicious DLL in that directory. When the SysTrack service starts or restarts, Windows' default DLL search order causes the malicious DLL to be loaded and executed in the context of NT AUTHORITY\SYSTEM, effectively granting the attacker SYSTEM-level privileges. This attack requires local access and user interaction to restart the service but does not require prior authentication. The vulnerability does not currently have known exploits in the wild, and no official patch links are provided yet. The CVSS v3.1 score is 4.4 (medium), reflecting the local attack vector, low complexity, no privileges required, but requiring user interaction. The impact primarily affects confidentiality and integrity by enabling privilege escalation, but availability is not impacted. The vulnerability highlights the risk of insecure environment variable configurations combined with incomplete DLL deployment in software products.

For European organizations, this vulnerability poses a risk of local privilege escalation, allowing attackers with local access to gain SYSTEM-level control over affected endpoints running SysTrack 10.05.0027. This can lead to unauthorized access to sensitive data, modification of system configurations, and potential lateral movement within corporate networks. Organizations relying on SysTrack for endpoint monitoring and analytics could see their monitoring infrastructure compromised, undermining security visibility and response capabilities. Although exploitation requires local access and user interaction, insider threats or attackers who have gained initial footholds could leverage this vulnerability to escalate privileges and deepen their control. The impact is particularly significant in environments with lax controls on PATH environment variables or where user-writable directories are inadvertently included in SYSTEM PATH. This could also affect managed service providers and enterprises with large deployments of SysTrack, increasing the attack surface. The absence of known exploits in the wild provides a window for proactive mitigation before active exploitation occurs.

1. Immediately audit and restrict write permissions on all directories included in the SYSTEM PATH environment variable to ensure they are not writable by non-privileged users. 2. Remove any user-writable directories from the SYSTEM PATH variable to prevent DLL hijacking. 3. Monitor and alert on changes to environment variables, especially SYSTEM PATH, to detect unauthorized modifications. 4. Implement application whitelisting to prevent unauthorized DLLs from loading. 5. Restrict local user permissions to prevent unauthorized service restarts or modifications to SysTrack components. 6. Once available, promptly apply official patches or updates from Lakeside Software addressing this vulnerability. 7. Conduct endpoint scans to detect presence of unauthorized DLLs in PATH directories. 8. Educate system administrators and users about the risks of modifying environment variables and the importance of secure configurations. 9. Employ endpoint detection and response (EDR) tools to monitor for suspicious DLL loading and privilege escalation attempts. 10. Consider isolating SysTrack agents on hardened systems with minimal user access to reduce attack vectors.