CVE-2025-4455

A vulnerability was found in Patch My PC Home Updater up to 5.1.3.0. It has been rated as critical. This issue affects some unknown processing in the library advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 7.0 HIGH
CVSS v2.0 6.0 MEDIUM

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:H/Au:S/C:C/I:C/A:C

Exploitability : 1.5 / Impact : 10.0

Access Vector LOCAL

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://gist.github.com/shellkraft/d7db265b53115d52a4ca5bffe5e9c6e4
https://vuldb.com/?ctiid.308069
https://vuldb.com/?id.308069
https://vuldb.com/?submit.562440

Configurations

No configuration.

History

12 May 2025, 17:32

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en Patch My PC Home Updater hasta la versión 5.1.3.0. Se ha clasificado como crítica. Este problema afecta a un procesamiento desconocido en la librería advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. La manipulación genera una ruta de búsqueda incontrolada. Es posible lanzar el ataque en el host local. La complejidad del ataque es bastante alta. Se sabe que su explotación es difícil. Se ha hecho público el exploit y puede que sea utilizado. Se contactó al vendedor tempranamente acerca de esta divulgación pero no respondió de ninguna manera.

09 May 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-09 03:15

Updated : 2025-05-12 17:32

NVD link : CVE-2025-4455

Mitre link : CVE-2025-4455

CVE.ORG link : CVE-2025-4455

JSON object : View

Products Affected

No product.

CWE

CWE-426

Untrusted Search Path

CWE-427

Uncontrolled Search Path Element

7.0 /10