Threat actors could leverage already patched zero-day flaws in Atera remote monitoring and management software installers for Windows to facilitate privilege escalation attacks, reports The Hacker News.
Mandiant researchers discovered both vulnerabilities, tracked as CVE-2023-26077 and CVE-2023-26078, within the repair functionality of the Microsoft Software Installer, with the former potentially exploitable via DLL hijacking to eventually result in Command Prompt acquisition as the NT AUTHORITYSYSTEM user.
Meanwhile, attackers with elevated privileges could exploit CVE-2023-26078 to prompt a Windows Console Host child process, which could be later used for a local privilege escalation intrusion, according to the report.
"Misconfigured Custom Actions can be trivial to identify and exploit, thereby posing significant security risks for organizations. It is essential for software developers to thoroughly review their Custom Actions to prevent attackers from hijacking NT AUTHORITYSYSTEM operations triggered by MSI repairs," said Mandiant researcher Andrew Oliveau.