AS-24873 Vulnerability issue for ZDI-CAN-26850
Review Request #1501 — Created June 4, 2026 and updated
| Information | |
|---|---|
| jasonchou | |
| AG | |
| rel_ag_9_4_5 | |
| DEX-71 | |
| Reviewers | |
| evalin | |
The product defines a DCOM application named
ArrayInstallManager, CLSIDC0E366E5-AD8D-481F-9639-87B4F8F4737F. Local launch and local activation permissions are granted toEveryone. The application is served by theVPNInstallManagerservice, running asSYSTEM. The application exposes a COM object,ArrayInstallManager.InstallManager.1, CLSIDCB33EE85-E9E2-4167-AF1D-A65194B287CB, which exposes a dispatch interfaceIInstallManager. This interface contains several methods that perform highly privileged operations that can be used for privilege escalation. In particular,CopyFileToLocalcan be used in a straightforward fashion by a low-privileged attacker to drop an arbitrary file to an arbitrary location in the context of SYSTEM, leading to local privilege escalation to SYSTEM. The interface contains various other methods that may also be used for local privilege escalation.
