CVE-2019-13208
Description
WavesSysSvc in Waves MAXX Audio allows privilege escalation because the General registry key has Full Control access for the Users group, leading to DLL side loading. This affects WavesSysSvc64.exe 1.9.29.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: = 1.9.29.0
Patches
Vulnerability mechanics
Root cause
"Improper registry key permissions grant Full Control to the Users group, allowing modification of the ExternalModule value that controls DLL loading by the SYSTEM-level WavesSysSvc service."
Attack vector
An attacker who is already authenticated as a local user can exploit improper registry permissions. The "General" registry key grants Full Control to the Users group, allowing any user to modify the "ExternalModule" value. This value contains a semi-colon separated list of DLL filenames that WavesSysSvc64.exe loads via LoadLibraryA at startup. By replacing a referenced DLL name with a path to a malicious DLL, the attacker achieves DLL side-loading when the service (running as LocalSystem) loads the library, resulting in privilege escalation to SYSTEM [ref_id=1].
Affected code
The vulnerable component is the WavesSysSvc service (WavesSysSvc64.exe 1.9.29.0). The service binary reads DLL names from the registry key named "General" under the Waves MAXX Audio hive, specifically the "ExternalModule" value. The MaxxAudioAPOShell64.dll contains the functions that call RegCreateKeyExA and RegQueryValueExA to retrieve this data.
What the fix does
The advisory does not include a published patch. The recommended remediation is to restrict the permissions on the "General" registry key so that the Users group no longer has Full Control access. Only privileged accounts (such as SYSTEM or Administrators) should be allowed to modify the "ExternalModule" value that controls which DLLs the WavesSysSvc service loads [ref_id=1].
Preconditions
- authAttacker must have local user access to the Windows system
- configWavesSysSvc service must be installed and running (starts automatically as LocalSystem)
- configThe 'General' registry key must have Full Control assigned to the Users group (default vulnerable configuration)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- versprite.com/blog/security-research/windows-registry/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.