Private Internet Access VPN Client for Windows

Privilege Escalation


London Trust Media, Inc


Private Internet Access VPN for Windows

Product Version


Vulnerability Details

A vulnerability in Private Internet Access VPN Client for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of the access controls. The Changelog and Help options available from the system tray context menu for the PIA VPN client spawns an elevated instance of the user’s default web browser. An attacker could exploit this vulnerability by selecting Run as Administratorfrom the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.

Vendor Response

The vendor has released an update

Disclosure Timeline

  • Vendor disclosure via email

  • Vendor notified via Facebook

  • Vendor response via email

  • Vendor requests resubmission of disclosure to London Trust Media

  • Resubmission of vendor disclosure

  • Vendor responded with bug bounty offer

  • VerSprite declined bounty

  • Vendor submitted update for testing

  • VerSprite Security tests update and confirmed vulnerability resolution

  • Vendor releases update

  • Vendor notified of the advisory release