CVE-2025-50675
📋 TL;DR
GPMAW 14 has insecure file permissions in its installation directory, allowing any user with local access to replace the uninstaller executable. When an administrator runs the uninstaller, it executes with elevated privileges, enabling privilege escalation to administrator level. This affects all systems running GPMAW 14 with default permissions.
💻 Affected Systems
- GPMAW
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to administrator, allowing installation of persistent malware, data theft, or complete system control.
Likely Case
Local privilege escalation leading to administrative access on the compromised system, enabling further lateral movement or data access.
If Mitigated
Limited to user-level access only, preventing privilege escalation through proper file permission controls.
🎯 Exploit Status
Exploitation requires local user access but is straightforward - simply replacing the uninstaller executable with a malicious version.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Apply workarounds or upgrade to a fixed version if released by vendor.
🔧 Temporary Workarounds
Restrict GPMAW Installation Directory Permissions
windowsModify file permissions on the GPMAW installation directory to restrict write access to administrators only.
icacls "C:\Program Files\GPMAW" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
Remove GPMAW from Non-Admin Users
windowsUninstall GPMAW from systems where non-administrative users have access.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can log into systems running GPMAW
- Monitor for unauthorized file modifications in the GPMAW installation directory using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check permissions on GPMAW installation directory: icacls "C:\Program Files\GPMAW" - if 'Users' group has 'F' (Full control) or 'M' (Modify) permissions, the system is vulnerable.Check Version:
Check GPMAW version in Control Panel > Programs and Features or via registry: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GPMAW" /v DisplayVersionVerify Fix Applied:
Verify that only 'Administrators' and 'SYSTEM' have 'F' (Full control) permissions on the GPMAW directory, and 'Users' have only 'RX' (Read & Execute) or less.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File system access) showing non-admin users writing to GPMAW directory
- Process creation events showing GPsetup64_17028.exe execution with elevated privileges
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 AND ObjectName LIKE "%GPMAW%" AND Accesses="WriteData" AND SubjectUserName NOT IN ("SYSTEM", "Administrator")