Unquoted Windows Search Path Vulnerability in Quest KACE Agent
CVE-2024-23774

Currently unrated

Key Information:

Vendor: Quest Software
Vendor: CVE Published:; 30 April 2024

🔔 Create Quest Software Vulnerability Alert

What is CVE-2024-23774?

An unquoted Windows search path vulnerability has been identified in the Quest KACE Agent, specifically within the KSchedulerSvc.exe and AMPTools.exe components. This security flaw allows local attackers to execute arbitrary code with NT Authority\SYSTEM privileges, potentially leading to significant system compromise. The affected versions, 12.0.38 and 13.1.23.0, present an avenue for escalation of privileges, as the application incorrectly manages the search path, which can be exploited if the attacker has local access. Organizations utilizing these versions are advised to review their configurations and apply necessary security measures.

References

https://www.quest.com/kace/

https://support.quest.com/kb/4375402/quest-response-to-ka...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2024