A high-severity vulnerability has been identified in CYRISMA Sensor software for Windows, which could allow a local attacker to gain full administrative control over the affected system. The flaw stems from insecure folder and file permissions that permit a low-privileged user to execute malicious code with elevated rights. Successful exploitation could lead to a complete system compromise, enabling data theft, malware deployment, and further network intrusion.

The vulnerability is an insecure file and folder permission issue within the CYRISMA Sensor's installation directory on Windows operating systems. The software assigns weak access controls (ACLs) to its program folders, allowing standard or low-privileged users to write or modify files within them. An attacker with local user access can exploit this by replacing a legitimate executable or library file used by the Sensor service with a malicious payload. When the high-privileged Sensor service is started or restarted, it will execute the attacker's malicious code, resulting in privilege escalation to the level of the service account, which is typically the SYSTEM account.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would allow an attacker to escalate privileges from a standard user to a SYSTEM-level administrator, granting them complete control over the endpoint. This could lead to severe consequences, including the deployment of ransomware, exfiltration of sensitive corporate data, disabling of security controls, and using the compromised system as a launchpad for lateral movement across the organization's network. Since the Sensor agent is a security product often deployed on critical assets, its compromise undermines the very security posture it is meant to uphold.

Immediate Action:

• Immediately apply the security update provided by the vendor to upgrade all instances of CYRISMA Sensor for Windows to version 444 or later.
• After patching, review system and application logs for any signs of suspicious activity or unauthorized access related to the Sensor service prior to the update.

Proactive Monitoring:

• File Integrity Monitoring (FIM): Monitor the CYRISMA Sensor installation directories for any unauthorized file modifications, creations, or permission changes.
• Log Analysis: Review Windows Security Event Logs for unusual process creation events originating from the Sensor service (e.g., services.exe spawning unexpected child processes).
• Endpoint Detection and Response (EDR): Configure EDR solutions to alert on suspicious command-line executions or file writes in the Sensor's program folders by non-administrative users.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Manual ACL Hardening: Manually adjust the permissions on the CYRISMA Sensor installation folder and its subdirectories to restrict write access to only the SYSTEM and local Administrators group.
• Application Control: Use application whitelisting tools (like AppLocker) to prevent unauthorized executables from running from the Sensor's directories.
• Principle of Least Privilege: Ensure standard user accounts do not have unnecessary local access to servers and critical workstations where the Sensor is deployed.

Public Exploit Available: False

Given the high CVSS score of 8.8 and the risk of a full system compromise, this vulnerability poses a significant threat to the organization. We strongly recommend that all vulnerable instances of the CYRISMA Sensor for Windows be patched to version 444 or newer with the highest priority. Although this CVE is not currently listed on the CISA KEV catalog, its potential for privilege escalation makes it a critical vulnerability to address immediately to prevent attackers from deepening their foothold within the network.