News

Vulnerability Analysis Report - CVE-2024-39425: A File System TOCTOU LPE case study

In corporate environments, users generally do not have administrative rights to install or update software, making maintenance a challenge for the IT department. 

To solve this problem, suppliers implement automatic update mechanisms that allow them to perform updates without user intervention.  

However, these mechanisms need to raise their privileges to function, which makes them a target of interest for both security researchers and attackers

In our laboratory, we discovered a vulnerability in the automatic update mechanism of Adobe Readeridentified as CVE-2024-39425

This flaw allows a local attacker to gain SYSTEM privileges, bypassing User Account Control (UAC) and restrictions on non-administrator users. Although the exploit requires pre-existing access to the target machine and several complex steps, if successfully exploited it allows full control of the system to be taken. 

We have reported this vulnerability to Adobe, which has released a corrective patch. We recommend that all users update their software to the latest available version to avoid possible attacks. 

If you wish to learn more, here is the link to our full report

In addition, you can subscribe to the specific mailing list to receive updates on upcoming reports:     

https://tinextadefence.it/mailing-list-malware-report/

Share:

Categories

Recent articles

Back to News

Related articles

Contact us

Privacy Policy
Privacy Policy
Tinexta Defence logo

Defence Tech | Next | Donexit | Foramil | Innodesi

Tinexta Defence S.r.l. - Share Capital € 25,000.00 i.v. - VAT No. 17105861003 - REA Rome No. 1696120.
Defence Tech Holding S.p.A. Benefit Corporation - Share Capital € 2,554,285.70 i.v. - VAT No. 11065701002 - REA Rome No. 1276114.
Copyright © Tinexta Defence - All Rights Reserved.

Degree in Business Administration from the University of Naples 'Federico II' with an MBA in Business Management achieved with high merit in 2008 by winning a scholarship provided by Invitalia S.p.A. from which she was selected in the first months of attendance as the best MBA profile.

After a brief experience in Invitalia S.p.A., he immediately held increasingly important roles in the management of Administration, Finance and Control of companies operating in the defence sector, theInformation Technology, of Cyber and National Security. In addition, she was Treasury Manager in companies operating in theEnergy.

He obtained an Executive Master in Finance (EMF) at SDA Bocconi in 2020, with a specialisation in Corporate Finance & Control and, in 2022, a further specialisation track in Asset, Wealth Management also at SDA Bocconi.

For over five years it has been the Chief Financial Officer of the Defence Tech Group, whose listing process he followed on the Euronext Growth Milan segment of Borsa Italiana.

From 2017 to 2024, she was a member of the boards of directors of all the legal entity of the Defence Tech Group with delegated powers over their financial management and from October 2021 to October 2024 was a Board Member of the Holding Company.

It is currently also Investor Relations Manager of the listed Defence Tech and follows all ESG issues of the Group.

In July 2021, she was recognised by Federmanager as one of the best talents under 44 at national level, receiving an important award as Young Manager 2020.