CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26624 – Local Privilege Escalation in Rufus 4.6 and previous versions
https://notcve.org/view.php?id=CVE-2025-26624
18 Feb 2025 — Rufus is a utility that helps format and create bootable USB flash drives. A DLL hijacking vulnerability in Rufus 4.6.2208 and earlier versions allows an attacker loading and executing a malicious DLL with escalated privileges (since the executable has been granted higher privileges during the time of launch) due to the ability to inject a malicious `cfgmgr32.dll` in the same directory as the executable and have it side load automatically. This is fixed in commit `74dfa49`, which will be part of version 4.7... • https://github.com/pbatard/rufus/commit/74dfa49707fd626b58d776d3400295740a29e23e • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010101
https://notcve.org/view.php?id=CVE-2019-1010101
19 Jul 2019 — Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executables available). The attack vector is: CWE-29, CWE-377, CWE-379. Akeo Consulting Rufus versión 3.0 y anteriores están afectados por: Permisos No Seguros. • http://seclists.org/oss-sec/2018/q2/146 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010100
https://notcve.org/view.php?id=CVE-2019-1010100
19 Jul 2019 — Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order hijacking. The impact is: Arbitrary code execution WITH escalation of privilege. The component is: Executable installers, portable executables (ALL executables on the web site). The attack vector is: CAPEC-471, CWE-426, CWE-427. Akeo Consulting Rufus versión 3.0 y anteriores, está afectado por: el secuestro de orden de búsqueda de DLL. • http://seclists.org/oss-sec/2018/q2/146 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-13083
https://notcve.org/view.php?id=CVE-2017-13083
18 Oct 2017 — Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code Akeo Consulting Rufus en versiones anteriores a la 2.17.1187 no valida adecuadamente la integridad de las actualizaciones descargadas a través de HTTP, permitiendo que un atacante convenza fácilmente a un usuario para que ejecute código arbitrario. • http://www.kb.cert.org/vuls/id/403768 • CWE-295: Improper Certificate Validation CWE-345: Insufficient Verification of Data Authenticity CWE-347: Improper Verification of Cryptographic Signature CWE-494: Download of Code Without Integrity Check •