CVE-2021-25694
📋 TL;DR
This vulnerability allows attackers to replace the NVENC.dll file in Teradici PCoIP Graphics Agent for Windows, enabling pixel data redirection to unauthorized locations. It affects Windows systems running Teradici PCoIP Graphics Agent versions before 21.03. Attackers with local access could potentially intercept or manipulate graphical data.
💻 Affected Systems
- Teradici PCoIP Graphics Agent for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete interception of all graphical data transmitted through PCoIP, potentially exposing sensitive visual information including credentials, documents, and proprietary data to attackers.
Likely Case
Local privilege escalation allowing attackers to redirect graphical output to capture screenshots, record sessions, or manipulate displayed content without user knowledge.
If Mitigated
Limited impact if proper file integrity monitoring and access controls prevent unauthorized DLL replacement.
🎯 Exploit Status
Exploitation requires local system access to replace the NVENC.dll file. No authentication bypass needed once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.03 and later
Vendor Advisory: https://advisory.teradici.com/security-advisories/80/
Restart Required: Yes
Instructions:
1. Download Teradici PCoIP Graphics Agent version 21.03 or later from official Teradici sources. 2. Run the installer to upgrade existing installations. 3. Restart the system to complete the update.
🔧 Temporary Workarounds
Restrict DLL file permissions
windowsSet strict permissions on NVENC.dll to prevent unauthorized modification
icacls "C:\Program Files\Teradici\PCoIP Agent\NVENC.dll" /inheritance:r /grant:r "SYSTEM:(F)" "Administrators:(F)" /deny "Users:(W)"
Enable Windows Defender Application Control
windowsImplement application control policies to prevent unauthorized DLL loading
🧯 If You Can't Patch
- Implement strict file integrity monitoring on NVENC.dll to detect unauthorized changes
- Restrict local access to systems running vulnerable versions through least privilege principles
🔍 How to Verify
Check if Vulnerable:
Check Teradici PCoIP Graphics Agent version in Windows Programs and Features or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\PCoIP Agent\VersionCheck Version:
reg query "HKLM\SOFTWARE\Teradici\PCoIP Agent" /v VersionVerify Fix Applied:
Verify version is 21.03 or higher and check that NVENC.dll has proper digital signature from Teradici📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unauthorized file modifications to NVENC.dll
- Application logs showing PCoIP agent loading unexpected DLLs
Network Indicators:
- Unusual outbound connections from PCoIP agent to unexpected destinations
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%NVENC.dll%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')