DLL Hijacking Vulnerability in Configuration Wizard Installer by Silicon Labs
CVE-2024-9491

8.6HIGH

Key Information:

Vendor: Silabs.com
Status: Configuration Wizard 2
Vendor: CVE Published:; 24 January 2025

Summary

A DLL hijacking vulnerability exists in the Configuration Wizard 2 installer from Silicon Labs, triggered by an uncontrolled search path. This flaw could allow an attacker to execute arbitrary code with escalated privileges by manipulating the installation process, representing a significant security concern for users running the affected installer.

Affected Version(s)

Configuration Wizard 2 Windows 0 <= 4.50

References

https://community.silabs.com/068Vm00000JUQwd

vendor-advisorypermissions-required

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Oct 3, 2024

Credit

Thanks to Sahil Shah and Shaurya for reporting this issue.