CVE-2025-4539
📋 TL;DR
This CVE describes a critical privilege escalation vulnerability in ToDesk 4.7.6.3 where an uncontrolled search path in profapi.dll allows local attackers to execute arbitrary code with elevated privileges. The vulnerability affects users running the vulnerable version of ToDesk on Windows systems. Attackers can exploit this to gain SYSTEM-level access on compromised machines.
💻 Affected Systems
- Hainan ToDesk
📦 What is this software?
Todesk by Todesk
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the affected machine, data theft, persistence installation, and lateral movement within the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
Limited impact if proper application whitelisting, least privilege principles, and DLL search path hardening are implemented.
🎯 Exploit Status
Exploit has been publicly disclosed but requires local access and specific conditions. The vendor has not responded to disclosure attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider uninstalling ToDesk 4.7.6.3 until vendor releases a fix.
🔧 Temporary Workarounds
DLL Search Path Hardening
windowsConfigure Windows to use SafeDllSearchMode and set DLL search order to prioritize system directories
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xffffffff /f
Application Whitelisting
windowsUse AppLocker or Windows Defender Application Control to restrict DLL loading from untrusted locations
🧯 If You Can't Patch
- Uninstall ToDesk 4.7.6.3 completely from affected systems
- Implement strict least privilege principles - ensure users don't have write access to directories in DLL search path
🔍 How to Verify
Check if Vulnerable:
Check ToDesk version by navigating to Help > About in ToDesk interface or checking installed programs in Control PanelCheck Version:
wmic product where name="ToDesk" get versionVerify Fix Applied:
Verify ToDesk is uninstalled or updated to a version later than 4.7.6.3📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Process creation events for ToDesk with parent processes from non-standard users
Network Indicators:
- Unusual outbound connections from ToDesk process after local exploitation
SIEM Query:
EventID=4688 AND (NewProcessName LIKE "%ToDesk%" OR NewProcessName LIKE "%profapi.dll%") AND ParentProcessName NOT IN ("explorer.exe", "svchost.exe")🔗 References
- https://vuldb.com/?ctiid.308284
- https://vuldb.com/?id.308284
- https://vuldb.com/?submit.566698
- https://www.yuque.com/ba1ma0-an29k/nnxoap/dgxzuhd90e19grpg?singleDoc
- https://www.yuque.com/ba1ma0-an29k/nnxoap/dgxzuhd90e19grpg?singleDoc#%20%E3%80%8Atodesk%20program%20has%20a%20privilege%20escalation%20vulnerability%E3%80%8B
