Local Privilege Escalation in FlexNet Publisher by Flexera
CVE-2024-2658

8.5HIGH

Key Information:

Vendor: Flexera
Status: Flexnet Publisher
Vendor: CVE Published:; 30 January 2025

What is CVE-2024-2658?

A misconfiguration in the lmadmin.exe component of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) enables an issue where the OpenSSL configuration file could be loaded from an incorrect directory. An attacker with low privileges can create the non-existent directory and deploy a malicious openssl.conf file. This malicious configuration can lead to the execution of arbitrary DLLs with elevated privileges, significantly compromising system integrity and security.

Affected Version(s)

FlexNet Publisher Windows 0 < 2024 R1 (11.19.6.0)

References

https://community.flexera.com/s/article/cve-2024-2658-fle...

vendor-advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-359/

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Mar 19, 2024

CVE-2024-2658 Data

JSON