The Akamai Guardicore Platform Agent and Zero Trust Client contain a TOCTOU race condition vulnerability (CWE-367) due to the creation of an IPC socket in a world-writable /tmp directory that accepts unauthenticated control messages. This allows an unprivileged local user to exploit the HandleSaveLogs() function by creating and manipulating log files into symbolic links pointing to arbitrary root-owned files, making them world-writable. Additionally, the gimmelogs diagnostic tool running with root privileges is vulnerable to command injection via the dbstore on Linux/macOS, enabling a second privilege escalation path. On Windows, gimmelogs lacks command injection but can write ZIP archives to unintended locations. The vulnerability affects specific versions of Akamai Guardicore Platform Agent and Zero Trust Client. The vendor provides a patch and manages remediation for this cloud service.

Successful exploitation allows an unprivileged local user to escalate privileges to root by making arbitrary root-owned files world-writable and by leveraging command injection in a root-privileged diagnostic tool. This can lead to full system compromise on affected Linux and macOS systems. The vulnerability is rated high severity with a CVSS score of 7.4. No known exploits are currently reported in the wild.

A patch is available for this vulnerability. Since the affected products are cloud-hosted services, the vendor manages remediation server-side. Users should verify with Akamai's official advisory and ensure their Guardicore Platform Agent and Zero Trust Client are updated to patched versions beyond those affected (GPA 7.3.1 and ZTC 6.1.5). No additional mitigation steps are indicated by the vendor advisory.