An attacker can activate “God Mode” on an organization’s network
Synopsys has discovered a dangerous local privilege-escalation (LPE) vulnerability in Kaspersky VPN Secure Connection for Windows that allows an authenticated attacker to delete a file on the victim’s system.
Bug CVE-2022-27535 with a CVSS score of 5.0 out of 10 is located in the Support Tools part of the application. With its help, a cybercriminal can initiate arbitrary deletion of files in the system.
“This may cause the device to malfunction or delete important system files necessary for the correct operation of the system,” said a Kaspersky Lab representative.
There is only one way to carry out this attack: an attacker must create a specific file and convince the user to execute a command in the application “Delete all service data and reports” or “Save the report on your computer.”
Synopsys has not encountered exploitation of this bug, but “it is likely that attackers will take note of it as a possible technique.” Users should upgrade to version 21.7.7.393 or later to fix their systems. I would like to note that Kaspersky Lab promptly released a fix for this vulnerability. The LC report can be found here.