CVE-2025-43715
📋 TL;DR
This vulnerability allows local users on Windows systems to escalate privileges to SYSTEM during NSIS installer execution. Attackers can exploit a race condition in temporary directory creation to place malicious executables that run with elevated permissions. Only affects NSIS installations on Windows where unprivileged users can access the system.
💻 Affected Systems
- Nullsoft Scriptable Install System (NSIS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user escalates privileges to install malware, modify system files, or access restricted data and resources.
If Mitigated
No impact if proper access controls prevent local users from writing to Windows temp directories or if NSIS installers aren't used.
🎯 Exploit Status
Exploitation requires local access and winning a race condition during installer execution. The bug report suggests the vulnerability is exploitable but no public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NSIS 3.11
Vendor Advisory: https://nsis.sourceforge.io/Docs/AppendixF.html#v3.11-rl
Restart Required: No
Instructions:
1. Download NSIS 3.11 or later from official source. 2. Replace existing NSIS installation. 3. Recompile any custom NSIS installers with the updated version. 4. Distribute updated installers to end users.
🔧 Temporary Workarounds
Restrict Windows temp directory permissions
windowsModify permissions on %WINDIR%\temp to prevent unprivileged users from writing files
icacls "%WINDIR%\temp" /deny "Users:(OI)(CI)(W)"
icacls "%WINDIR%\temp" /deny "Authenticated Users:(OI)(CI)(W)"
Use alternative installer frameworks
allReplace NSIS with other installer frameworks that don't have this vulnerability
🧯 If You Can't Patch
- Restrict local user access to systems running NSIS installers
- Monitor for suspicious privilege escalation attempts and file writes to Windows temp directories
🔍 How to Verify
Check if Vulnerable:
Check NSIS version: Open NSIS, go to Help > About, or check the installer binary properties. Versions before 3.11 are vulnerable.Check Version:
makensis /VERSIONVerify Fix Applied:
Confirm NSIS version is 3.11 or later. Test installer execution while monitoring for unrestricted temp directory creation.📡 Detection & Monitoring
Log Indicators:
- Failed privilege escalation attempts
- Unusual file writes to %WINDIR%\temp by non-admin users
- Multiple rapid file creation attempts in temp directory
Network Indicators:
- No network indicators - this is local privilege escalation
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%makensis%' OR CommandLine LIKE '%NSIS%') AND NewProcessName LIKE '%temp%'