Login Sign Up

CVE-2023-27470

7.0 HIGH

📋 TL;DR

This vulnerability in N-able Take Control Agent allows attackers to delete arbitrary files through a time-of-check to time-of-use (TOCTOU) race condition. Attackers can exploit a pseudo-symlink in the PushUpdates directory to delete system files. Organizations using affected versions of Take Control Agent are at risk.

💻 Affected Systems

Products:
  • N-able Take Control Agent
Versions: Through 7.0.41.1141 (before 7.0.43)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems where BASupSrvcUpdater.exe runs with sufficient privileges to delete files.

📦 What is this software?

Take Control by N Able

View all CVEs affecting Take Control →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be deleted, causing system instability, data loss, or complete system compromise if combined with other vulnerabilities.

🟠

Likely Case

Attackers delete important files to disrupt operations, cause denial of service, or remove security controls.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential service disruption in the Take Control Agent.

🌐 Internet-Facing: MEDIUM - Exploitation requires local access or ability to write to the vulnerable directory, but could be combined with other vulnerabilities.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to delete files and disrupt operations.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and ability to create files in the vulnerable directory. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.43 or later

Vendor Advisory: https://www.n-able.com/security-and-privacy/product-security-advisories

Restart Required: Yes

Instructions:

1. Download Take Control Agent version 7.0.43 or later from N-able portal. 2. Deploy to all affected systems. 3. Restart systems or services as required.

🔧 Temporary Workarounds

Restrict directory permissions

windows

Limit write access to the vulnerable PushUpdates directory to prevent file creation.

icacls "%PROGRAMDATA%\GetSupportService_N-Central\PushUpdates" /deny Everyone:(OI)(CI)(W)

🧯 If You Can't Patch

  • Monitor file creation and deletion events in the vulnerable directory
  • Implement strict access controls and audit privileged account usage

🔍 How to Verify

Check if Vulnerable:

Check Take Control Agent version and verify if it's 7.0.41.1141 or earlier.

Check Version:

Check agent version in Take Control console or examine installed programs in Control Panel.

Verify Fix Applied:

Confirm Take Control Agent version is 7.0.43 or later.

📡 Detection & Monitoring

Log Indicators:

  • File deletion events in %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates
  • Unusual process activity from BASupSrvcUpdater.exe

Network Indicators:

  • Unusual connections from Take Control Agent to unexpected destinations

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE '%GetSupportService_N-Central%PushUpdates%'

📊 Metadata

CVE ID: CVE-2023-27470
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: September 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27470, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)