CVE-2020-24567: 
Everything vulnerability analysis and mitigation

voidtools Everything before 1.4.1 Beta Nightly 2020-08-18 (version 1.4.1.990) contained a privilege escalation vulnerability (CVE-2020-24567) that allowed attackers to exploit DLL hijacking via a Trojan horse urlmon.dll file in the installation directory. The vulnerability was discovered by Cymaera on August 16, 2020, reported to voidtools on August 17, 2020, and patched on August 18, 2020 (Cymaera Article).

The vulnerability exists because the Everything service, which runs with NT AUTHORITY\SYSTEM privileges, attempts to load urlmon.dll from its installation directory before loading it from C:\Windows\System32. This DLL loading behavior allows an attacker to place a malicious urlmon.dll in the installation directory to achieve code execution with SYSTEM privileges. The vulnerability has a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to achieve privilege escalation to SYSTEM level permissions, establish persistence across system reboots, and potentially bypass whitelisting mechanisms since the malicious code would be executed on behalf of a signed service (Cymaera Article).

The vulnerability was patched in Everything version 1.4.1.990 released on August 18, 2020. Users should upgrade to this version or later. The fix addresses the security issue with loading urlmon.dll and imm32.dll (Voidtools Forum).