Login Sign Up

CVE-2020-18174

9.8 CRITICAL

📋 TL;DR

A process injection vulnerability in AutoHotkey's setup.exe allows attackers to execute arbitrary code with elevated privileges. This affects users running AutoHotkey 1.1.32.00 on Windows systems. Attackers can exploit this to gain SYSTEM-level access on compromised machines.

💻 Affected Systems

Products:
  • AutoHotkey
Versions: 1.1.32.00
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the setup/installer component, not the runtime. Requires execution of setup.exe with vulnerable version.

📦 What is this software?

Autohotkey by Autohotkey

View all CVEs affecting Autohotkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and complete control over the affected system.

🟠

Likely Case

Local privilege escalation from a lower-privileged user account to SYSTEM, enabling lateral movement and persistence establishment.

🟢

If Mitigated

Limited impact if proper privilege separation and application control are implemented, restricting execution of AutoHotkey setup files.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access or code execution first.
🏢 Internal Only: HIGH - Attackers with initial access to a user account can escalate to SYSTEM privileges, enabling significant internal network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local code execution first. The vulnerability is in the installer process injection mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.32.01 and later

Vendor Advisory: https://www.autohotkey.com/boards/viewtopic.php?f=14&t=72290

Restart Required: No

Instructions:

1. Download latest AutoHotkey version from official site. 2. Uninstall vulnerable version. 3. Install updated version. 4. Verify version is 1.1.32.01 or higher.

🔧 Temporary Workarounds

Restrict setup.exe execution

windows

Use application control policies to block execution of AutoHotkey setup.exe files

Using AppLocker: New rule to block path containing AutoHotkey setup.exe
Using Windows Defender Application Control: Create policy blocking AutoHotkey installer

Remove vulnerable version

windows

Uninstall AutoHotkey 1.1.32.00 if not needed

Control Panel > Programs > Uninstall AutoHotkey 1.1.32.00
Using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*AutoHotkey*' -and $_.Version -eq '1.1.32.00'} | ForEach-Object {$_.Uninstall()}

🧯 If You Can't Patch

  • Implement strict application control policies to prevent execution of AutoHotkey setup.exe
  • Use privilege separation - ensure users don't have permissions to run installers or modify system directories

🔍 How to Verify

Check if Vulnerable:

Check if AutoHotkey 1.1.32.00 is installed: Look for 'AutoHotkey' in installed programs with version 1.1.32.00

Check Version:

wmic product where "name like '%AutoHotkey%'" get version

Verify Fix Applied:

Verify AutoHotkey version is 1.1.32.01 or higher, or that AutoHotkey is not installed

📡 Detection & Monitoring

Log Indicators:

  • Process creation events for setup.exe with AutoHotkey path
  • Privilege escalation attempts from AutoHotkey processes
  • Unusual child processes spawned from AutoHotkey setup.exe

Network Indicators:

  • None - this is a local privilege escalation vulnerability

SIEM Query:

Process creation where (Image contains 'setup.exe' AND CommandLine contains 'AutoHotkey') OR (ParentImage contains 'AutoHotkey' AND IntegrityLevel changes)

📊 Metadata

CVE ID: CVE-2020-18174
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON