CVE-2025-59485
📋 TL;DR
This vulnerability allows local authenticated users on Windows systems running MaLion Security Point versions before 5.3.4 to place arbitrary files in a specific folder. If a specially crafted DLL is placed there, it could be executed with SYSTEM privileges, leading to privilege escalation.
💻 Affected Systems
- MaLion Security Point (Windows client)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains SYSTEM privileges through DLL hijacking, enabling complete system compromise, persistence, and lateral movement.
Likely Case
Malicious insider or compromised user account escalates privileges to SYSTEM to install malware, steal credentials, or bypass security controls.
If Mitigated
With proper access controls and monitoring, impact limited to isolated system compromise that can be detected and contained.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of the specific vulnerable folder path. DLL planting is a well-known technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.4
Vendor Advisory: https://www.intercom.co.jp/information/2025/1125.html
Restart Required: Yes
Instructions:
1. Download MaLion Security Point version 5.3.4 from official vendor sources. 2. Install the update following vendor instructions. 3. Restart the system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict folder permissions
windowsModify permissions on the vulnerable folder to prevent unauthorized file creation
icacls "C:\Program Files\MaLion\Security Point\vulnerable_folder" /deny Users:(OI)(CI)W
Enable DLL signature verification
windowsConfigure Windows to require signed DLLs where possible
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who can log into affected systems
- Monitor for suspicious file creation in MaLion program directories and DLL loading events
🔍 How to Verify
Check if Vulnerable:
Check MaLion Security Point version in Control Panel > Programs and Features. If version is below 5.3.4, system is vulnerable.Check Version:
wmic product where name="MaLion Security Point" get versionVerify Fix Applied:
Verify version shows 5.3.4 or higher in Control Panel > Programs and Features. Test that unauthorized users cannot create files in MaLion program directories.📡 Detection & Monitoring
Log Indicators:
- File creation events in MaLion program directories by non-SYSTEM users
- Process creation events showing MaLion loading DLLs from unexpected locations
- Windows Event ID 4688 with parent process of MaLion services
Network Indicators:
- Unusual outbound connections from MaLion processes
- DNS queries for command and control domains from SYSTEM context
SIEM Query:
source="windows_security" event_id=4688 process_name="*malion*" OR parent_process_name="*malion*" | stats count by process_name, parent_process_name, user