CVE-2022-48226
📋 TL;DR
This vulnerability allows local privilege escalation in Acuant AcuFill SDK installations. During installation, the software executes an EXE from C:\Windows\Temp, which standard users can pre-create with malicious code to gain elevated SYSTEM privileges. Affected users are those running vulnerable versions of Acuant AcuFill SDK on Windows systems.
💻 Affected Systems
- Acuant AcuFill SDK
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM-level code execution, allowing attackers to install persistent malware, steal credentials, or disable security controls.
Likely Case
Local privilege escalation where authenticated users gain administrative privileges to install unauthorized software or modify system configurations.
If Mitigated
No impact if proper file permissions prevent standard users from writing to C:\Windows\Temp or if the vulnerable SDK is not installed.
🎯 Exploit Status
Exploitation requires standard user access and knowledge of the installation process. The vulnerability is well-documented in public disclosures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.22.02.03 and later
Vendor Advisory: https://acuant.com
Restart Required: Yes
Instructions:
1. Download Acuant AcuFill SDK version 10.22.02.03 or later from Acuant's official website. 2. Uninstall previous vulnerable versions. 3. Install the patched version. 4. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict C:\Windows\Temp permissions
windowsModify NTFS permissions on C:\Windows\Temp to prevent standard users from creating or modifying files in this directory.
icacls C:\Windows\Temp /inheritance:r
icacls C:\Windows\Temp /grant SYSTEM:(OI)(CI)F
icacls C:\Windows\Temp /grant Administrators:(OI)(CI)F
icacls C:\Windows\Temp /deny Users:(OI)(CI)(WD,AD)
🧯 If You Can't Patch
- Remove Acuant AcuFill SDK from affected systems entirely.
- Implement strict access controls to prevent standard users from accessing systems where AcuFill SDK is installed.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Acuant AcuFill SDK. If version is earlier than 10.22.02.03, the system is vulnerable.Check Version:
Check Add/Remove Programs in Windows Control Panel or examine the installation directory for version information.Verify Fix Applied:
Verify that Acuant AcuFill SDK version is 10.22.02.03 or later and test that standard users cannot create files in C:\Windows\Temp.📡 Detection & Monitoring
Log Indicators:
- Windows Event Log entries showing file creation in C:\Windows\Temp by Acuant installation processes
- Process creation events for unexpected executables from C:\Windows\Temp
Network Indicators:
- No network indicators as this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%acuant%' OR ProcessName LIKE '%acuFill%') AND (NewProcessName LIKE '%temp%' OR NewProcessName LIKE '%windows\temp%')