Unquoted Service Path Vulnerability in Tosibox Key Service 3.3.0
CVE-2024-58315

8.5HIGH

Key Information:

Vendor

Tosibox Oy

Status
Tosibox Key Service
Vendor
CVE Published:
30 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2024-58315?

Tosibox Key Service version 3.3.0 exhibits an unquoted service path vulnerability, where local users without administrative privileges may exploit this weakness to execute arbitrary code with elevated permissions. This flaw arises from the improper handling of the service startup process, allowing attackers to insert malicious code into the system root path. Consequently, unauthorized code can be executed during application startup or system reboot, posing significant security risks to system integrity and confidentiality.

Affected Version(s)

Tosibox Key Service Unknown <= 3.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-58315 - Proof of Concept

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-58...
third-party-advisory
https://packetstormsecurity.com/files/177260/
exploit
https://www.tosi.net/
vendor-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab
JSON
.
CVE-2024-58315 : Unquoted Service Path Vulnerability in Tosibox Key Service 3.3.0