CVE-2023-50446: 
Mullvad VPN vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2023-50446) was discovered in Mullvad VPN Windows app versions before 2023.6-beta1. The vulnerability stems from insufficient permissions on a directory that allows any local unprivileged user to escalate privileges to SYSTEM level access (NVD). The issue was discovered and disclosed in December 2023, with a CVSS v3.1 base score of 7.8 HIGH (NVD).

The vulnerability is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The security flaw exists due to improper permission settings on the Mullvad directories, particularly in the ProgramData directory on Windows systems. This misconfiguration in access control permissions allows unprivileged users to manipulate these directories (GitHub PR).

The vulnerability allows any local unprivileged user to escalate their privileges to SYSTEM level on affected Windows systems. This means an attacker with basic user access could gain the highest level of system privileges, potentially leading to complete system compromise (NVD).

The vulnerability was fixed in Mullvad VPN version 2023.6-beta1 and subsequent releases. The fix involves setting stricter permissions on Mullvad directories, particularly those in ProgramData. Users are advised to upgrade to version 2023.6 or later to protect against this vulnerability (GitHub Release).