A high-severity vulnerability exists within the Deep Instinct Windows Agent, identified as CVE-2020-37047. This flaw allows a local attacker with basic user permissions to escalate their privileges to the highest level (SYSTEM), enabling a complete compromise of the affected endpoint. Successful exploitation could lead to data theft, malware deployment, and lateral movement within the network.

This vulnerability is a local privilege escalation due to improper permissions in the Deep Instinct Agent's application directory, a condition often leading to DLL hijacking. An authenticated attacker with low-level privileges on a local system can replace a specific Dynamic Link Library (DLL) file used by the agent with a malicious one. When the Deep Instinct agent service is started or restarted, it loads and executes the malicious DLL with SYSTEM-level privileges, granting the attacker full administrative control over the compromised machine.

This vulnerability is rated as High severity with a CVSS score of 7.8. If exploited, an attacker who has already gained initial low-privilege access can elevate their permissions to SYSTEM, effectively gaining complete control of the endpoint. This level of access would allow the attacker to bypass all security controls, disable the security agent itself, install persistent malware or ransomware, exfiltrate sensitive corporate data, and use the compromised system as a pivot point to attack other resources on the network. The potential business impact includes data breach, significant operational disruption, and reputational damage.

Immediate Action: Update the Deep Instinct Windows Agent to version 1.9.0.51 or a later version across all affected endpoints immediately. After patching, monitor systems for any signs of post-exploitation activity and review security logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Look for unusual file write operations or modifications to DLLs within the Deep Instinct installation directory. Monitor for suspicious child processes spawning from the Deep Instinct service (e.g., di_service.exe), such as cmd.exe or powershell.exe, and configure EDR alerts for known privilege escalation techniques.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use File Integrity Monitoring (FIM) to alert on any changes to files within the Deep Instinct Agent's program directories.
• Apply strict access control lists (ACLs) to the agent's installation folder to prevent low-privilege users from writing or modifying files.
• Deploy application whitelisting solutions to prevent unauthorized DLLs from being loaded.

Public Exploit Available: true

Given the high severity (CVSS 7.8) and the public availability of a functional exploit, immediate remediation is strongly recommended. The ability for an attacker to gain full SYSTEM-level control presents a critical risk to the security of the endpoint and the broader network. Organizations must prioritize the deployment of the vendor-supplied security update for the Deep Instinct Windows Agent to all vulnerable systems to prevent potential compromise.