CVE-2015-7985
Steam 54/894 - Local Privilege Escalation
Severity Score
7.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.
Valve Steam 2.10.91.91 utiliza permisos débiles (Usuarios: leer y escribir) para la carpeta Install, lo que permite a usuarios locales obtener privilegios a través de un archivo troyano steam.exe .
A privilege escalation vulnerability has been identified in that the Steam Microsoft Windows client software is installed with weak default permissions. These permissions grant read and write access to the Windows Users group for the install folder. This includes Steam.exe which is launched upon user login. Version 2.10.91.91 is confirmed vulnerable.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-08-07 First Exploit
- 2015-10-27 CVE Reserved
- 2015-11-23 CVE Published
- 2024-08-06 CVE Updated
- 2025-06-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-276: Incorrect Default Permissions
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/134513/Steam-2.10.91.91-Weak-File-Permissions-Privilege-Escalation.html | Third Party Advisory |
|
| http://www.securityfocus.com/archive/1/536961/100/0/threaded | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/9386 | 2009-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Valvesoftware Search vendor "Valvesoftware" | Steam Client Search vendor "Valvesoftware" for product "Steam Client" | 2.10.91.91 Search vendor "Valvesoftware" for product "Steam Client" and version "2.10.91.91" | - |
Affected
| ||||||