CVE-2024-26507
📋 TL;DR
This vulnerability allows a local attacker to escalate privileges on systems running vulnerable versions of FinalWire AIDA64 software. By exploiting improper access control in DeviceIoControl calls, an attacker with local access can gain elevated system privileges. This affects all users of AIDA64 Extreme, Engineer, Business, and Network Audit versions 7.00.6700 and earlier.
💻 Affected Systems
- FinalWire AIDA64 Extreme
- AIDA64 Engineer
- AIDA64 Business
- AIDA64 Network Audit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM/root privileges, enabling installation of persistent malware, credential theft, and full control over the affected system.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malicious software, and access sensitive data or resources normally restricted to standard users.
If Mitigated
Limited impact if proper privilege separation and least privilege principles are enforced, though the vulnerability still provides a foothold for further exploitation.
🎯 Exploit Status
Exploitation requires local access but the technique is well-documented and relatively simple to implement. The vulnerability leverages standard Windows kernel driver interfaces.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.00.6700+ (check for latest version)
Vendor Advisory: https://www.aida64.com/downloads
Restart Required: Yes
Instructions:
1. Download latest version from official AIDA64 website. 2. Uninstall current vulnerable version. 3. Install updated version. 4. Restart system to ensure kernel driver updates take effect.
🔧 Temporary Workarounds
Remove AIDA64 Software
windowsUninstall vulnerable AIDA64 software to eliminate the attack surface
Control Panel > Programs > Uninstall AIDA64
Or use: msiexec /x {AIDA64-Product-Code}
Restrict Driver Loading
windowsUse Windows Group Policy to restrict loading of unsigned or specific drivers
gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Devices: Restrict installation of drivers
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure no users have administrative rights unless absolutely necessary
- Deploy application control solutions to block execution of AIDA64 software or similar system diagnostic tools
🔍 How to Verify
Check if Vulnerable:
Check AIDA64 version in Help > About or via installed programs list. Versions 7.00.6700 and earlier are vulnerable.Check Version:
wmic product where "name like '%AIDA64%'" get versionVerify Fix Applied:
Verify installed version is newer than 7.00.6700 and check that the AIDA64 kernel driver (aidakd.sys) has been updated.📡 Detection & Monitoring
Log Indicators:
- DeviceIoControl calls to AIDA64 driver (aidakd.sys) from non-privileged processes
- Unexpected privilege escalation events in Windows Security logs
- Process creation events showing AIDA64 processes spawning with elevated privileges
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%AIDA64%' AND SubjectUserName!=SYSTEM AND TokenElevationType!=%%1936