CVE-2021-45975

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerability in the loading mechanism of Windows DLLs could allow a local attacker to perform a DLL hijacking attack. This vulnerability is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with local administrator privileges.

En el archivo ListCheck.exe de Acer Care Center versiones 4.x anteriores a 4.00.3038, una vulnerabilidad en el mecanismo de carga de DLL de Windows podría permitir a un atacante local llevar a cabo un ataque de secuestro de DLL. Esta vulnerabilidad es debido al manejo incorrecto de las rutas de búsqueda de directorios en tiempo de ejecución. Un atacante podría explotar esta vulnerabilidad al colocar un archivo DLL malicioso en el sistema objetivo. Este archivo será ejecutado cuando sea iniciada la aplicación vulnerable. Una explotación con éxito podría permitir al atacante ejecutar código arbitrario en el sistema objetivo con privilegios de administrador local

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-01 CVE Reserved
2022-01-26 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-09-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-426: Untrusted Search Path

CAPEC

References (3)

URL	Tag	Source
https://acercsi.com	Broken Link

URL	Date	SRC
https://aptw.tf/2022/01/20/acer-care-center-privesc.html	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://community.acer.com/en/kb/articles/14757-acer-care-center-requires-an-update-to-resolve-a-security-vulnerability	2022-02-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Acer Search vendor "Acer"		Care Center Search vendor "Acer" for product "Care Center"				>= 4.0 < 4.00.3038 Search vendor "Acer" for product "Care Center" and version " >= 4.0 < 4.00.3038"		-		Affected