ByteOS Network

Vulnerability Details :

CVE-2024-9495

Assigner-Silabs

Assigner Org ID-030b2754-1501-44a4-bef8-48be86a33bf4

Published At-24 Jan, 2025 | 14:37

Updated At-27 Jan, 2025 | 18:11

Uncontrolled search path can lead to DLL hijacking in CP210x VCP Windows installer

DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210x VCP Windows installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Silabs

Assigner Org ID:030b2754-1501-44a4-bef8-48be86a33bf4

Published At:24 Jan, 2025 | 14:37

Updated At:27 Jan, 2025 | 18:11

▼CVE Numbering Authority (CNA)

Uncontrolled search path can lead to DLL hijacking in CP210x VCP Windows installer

Affected Products

Vendor

silabs.com

Product

CP210x VCP Windows

Package Name

CP210x VCP Windows

Platforms

Windows

Default Status

affected

Versions

Affected

From 0 through 6.7 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-427	CWE-427 Uncontrolled Search Path Element

Type: CWE

CWE ID: CWE-427

Description: CWE-427 Uncontrolled Search Path Element

Metrics

Version	Base score	Base severity	Vector
3.1	8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Impacts

CAPEC ID	Description
CAPEC-471	CAPEC-471 Search Order Hijacking
CAPEC-30	CAPEC-30 Hijacking a Privileged Thread of Execution

CAPEC ID: CAPEC-471

Description: CAPEC-471 Search Order Hijacking

CAPEC ID: CAPEC-30

Description: CAPEC-30 Hijacking a Privileged Thread of Execution

Credits

reporter

Thanks to Sahil Shah, Shaurya, and Vidhi Patel for reporting this issue.

References

Hyperlink	Resource
https://community.silabs.com/068Vm00000JUQwd	vendor-advisory permissions-required

Hyperlink: https://community.silabs.com/068Vm00000JUQwd

Resource:

vendor-advisory

permissions-required

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:product-security@silabs.com

Published At:24 Jan, 2025 | 15:15

Updated At:24 Jan, 2025 | 15:15

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-427	Secondary	product-security@silabs.com

CWE ID: CWE-427

Type: Secondary

Source: product-security@silabs.com

References

Hyperlink	Source	Resource
https://community.silabs.com/068Vm00000JUQwd	product-security@silabs.com	N/A

Hyperlink: https://community.silabs.com/068Vm00000JUQwd

Source: product-security@silabs.com

Resource: N/A

CVE-2024-9495

Credits

Uncontrolled search path can lead to DLL hijacking in CP210x VCP Windows installer

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs