CVE-2024-47795
📋 TL;DR
This vulnerability in Intel oneAPI DPC++/C++ Compiler software allows authenticated local users to escalate privileges by manipulating the DLL search path. It affects users running vulnerable versions of the compiler software on Windows systems where an attacker has local access.
💻 Affected Systems
- Intel oneAPI DPC++/C++ Compiler
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could execute arbitrary code with SYSTEM/root privileges, potentially taking full control of the affected system.
Likely Case
Local authenticated users could escalate privileges to administrator/root level, enabling installation of malware, data theft, or lateral movement.
If Mitigated
With proper access controls and least privilege principles, impact is limited to users who already have some level of authenticated access.
🎯 Exploit Status
Requires authenticated local access and knowledge of DLL hijacking techniques. No public exploits have been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.0.0 or later
Vendor Advisory: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01243.html
Restart Required: No
Instructions:
1. Download Intel oneAPI DPC++/C++ Compiler version 2025.0.0 or later from Intel's official website. 2. Uninstall previous vulnerable versions. 3. Install the updated version. 4. Verify installation with version check command.
🔧 Temporary Workarounds
Restrict DLL search path
windowsSet SafeDllSearchMode registry key to restrict DLL search order
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Apply least privilege
windowsRestrict user permissions to prevent DLL planting in vulnerable directories
icacls "C:\Program Files\Intel\oneAPI\" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to limit which users can run the compiler software
- Monitor for suspicious DLL loading events and file creation in compiler directories
🔍 How to Verify
Check if Vulnerable:
Check compiler version using 'dpcpp --version' or 'icx --version' and verify it's below 2025.0.0Check Version:
dpcpp --versionVerify Fix Applied:
Run 'dpcpp --version' or 'icx --version' and confirm version is 2025.0.0 or higher📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing compiler execution from unusual locations
- Sysmon Event ID 7 (image loaded) showing DLL loading from non-standard paths
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
source="windows" EventID=4688 OR EventID=7 (process_name="dpcpp.exe" OR process_name="icx.exe") AND (image_loaded="*\Temp\*" OR image_loaded="*\Users\*\*" OR image_loaded="*\Public\*")