CVE-2018-15832
Description
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =63.0.5699.0
Patches
Vulnerability mechanics
Root cause
"Missing input validation in the uplay:// URI protocol handler allows injection of arbitrary Chromium command-line flags, enabling remote code execution via the --GPU-launcher switch."
Attack vector
An attacker crafts a malicious URI such as `uplay://foobar" --GPU-launcher="cmd /K whoami &" --` and hosts it on a webpage or in a hyperlink [ref_id=1]. When a victim using Microsoft Edge visits the page, Edge prompts "Did you mean to switch apps?" and after the user consents, the URI is passed to Windows `ShellExecute`, which invokes `upc.exe` with the unsanitized string [ref_id=1]. The injected quote character breaks the command line, and the `--GPU-launcher` Chromium flag executes an arbitrary system command under the context of the current process [ref_id=1]. No authentication or special privileges are required beyond having the vulnerable Uplay client installed.
Affected code
The vulnerability resides in the custom `uplay://` URI protocol handler registered for `upc.exe` (Ubisoft Uplay Desktop Client version 63.0.5699.0). The registry entry at `HKEY_CLASSES_ROOT\uplay\Shell\Open\Command` passes the full URI as `"%1"` to `upc.exe` without sanitization [ref_id=1]. The flaw is in the lack of input validation within `upc.exe` when processing command-line arguments passed via the protocol handler.
What the fix does
The advisory (Ubisoft forum post dated July 17, 2018) is referenced but no patch diff is included in the bundle [ref_id=1]. The recommended fix, per Microsoft's guidance cited in the write-up, is that pluggable protocol handlers must carefully validate all command-line parameters because spaces, quotes, and backslashes in the URI are interpreted as part of the command line by `ShellExecute` [ref_id=1]. The vendor should sanitize or escape special characters in the URI before passing it to `upc.exe`, and should not allow injection of arbitrary Chromium command-line switches like `--GPU-launcher`.
Preconditions
- configVictim must have Ubisoft Uplay Desktop Client version 63.0.5699.0 installed
- inputVictim must visit a malicious page or click a malicious link (user interaction required)
- inputVictim must consent to the 'switch apps' prompt when using Microsoft Edge (or dismiss warnings in IE)
Reproduction
1. Host an HTML page containing the following content: `<a href='uplay://foobar" --GPU-launcher="cmd /K whoami &" --'>poc</a><script>window.location='uplay://foobar" --GPU-launcher="cmd /K whoami &" --'</script>` [ref_id=1]. 2. Open the page in Microsoft Edge on a system with Uplay Desktop Client 63.0.5699.0 installed. 3. When prompted "Did you mean to switch apps? Microsoft Edge is trying to open 'UPlay launcher'", click "Yes". 4. A UAC prompt for UplayService.exe may appear (dismiss with Yes or No). 5. The `whoami` command executes, demonstrating arbitrary code execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/45429/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.