CVE-2024-6141: 
Windscribe vulnerability analysis and mitigation

CVE-2024-6141 is a directory traversal local privilege escalation vulnerability affecting Windscribe installations. The vulnerability was discovered by Zeze Lin working with Trend Micro Zero Day Initiative and was disclosed on June 20th, 2024. The vulnerability affects Windscribe desktop application versions prior to 2.10.10 (ZDI Advisory).

The vulnerability exists within the Windscribe Service component and stems from insufficient validation of user-supplied paths during file operations. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, ZDI Advisory).

An attacker who successfully exploits this vulnerability can escalate privileges and execute arbitrary code in the context of SYSTEM on the affected system. This could lead to complete system compromise (ZDI Advisory).

Windscribe has addressed this vulnerability in version 2.10.10, released on May 15, 2024. Users are advised to update to this version or later. The fix specifically addresses the privilege escalation vulnerability that allowed an attacker to inject a DLL into the client app (Windscribe Changelog).