Home | Research | Resources | Advisories | Private Internet Access VPN Client for Windows
Privilege Escalation
CVE ID
CVE-2018-10190
VENDOR
London Trust Media, Inc
PRODUCT
Private Internet Access VPN for Windows
Product version
v77
Vulnerability Details
A vulnerability in Private Internet Access VPN Client for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of the access controls. The Changelog and Help options available from the system tray context menu for the PIA VPN client spawns an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting Run as Administratorfrom the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.
Learn More →
Vendor response
The vendor has released an update
Disclosure timeline
03-23-2018 - Vendor disclosure via email 03-23-2018 - Vendor notified via Facebook 03-23-2018 - Vendor response via email 03-27-2018 - Vendor requests resubmission of disclosure to London Trust Media 03-27-2018 - Resubmission of vendor disclosure 03-27-2018 - Vendor responded with bug bounty offer 03-27-2018 - VerSprite declined bounty 03-28-2018 - Vendor submitted update for testing 03-28-2018 - VerSprite Security tests update and confirmed vulnerability resolution 04-05-2018 - Vendor releases update 04-17-2018 - Vendor notified of the advisory release
Copyright 2021 VerSprite - All Rights Reserved
