CVE-2019-17202
Description
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Admin By Request 6.1.0.0, a weak PIN algorithm allows any user to elevate to Administrator by knowing the customer ID and device name.
Vulnerability
FastTrack Admin By Request 6.1.0.0 uses a simple challenge-response mechanism for users who are not allowed to elevate privileges via group policies. The PIN response algorithm depends only on the customer ID and device name, which are available to all users on the system. This allows anyone to compute the correct PIN without any special permissions or secrets.
The affected version is 6.1.0.0. No newer versions are named in the available references, but the vendor has since released multiple newer versions (up to 8.7) according to the release notes [1].
Exploitation
An attacker needs to be a local user on the system. They can obtain the customer ID and device name from the client software interface or configuration. Using the known simple algorithm, they compute the correct PIN response. When elevation is requested, the system prompts for a PIN; the attacker enters the computed PIN and gains Administrator privileges.
Impact
A non-privileged user can elevate to full Administrator rights, bypassing the intended group policy restrictions. This leads to complete compromise of the local system, including the ability to install software, modify system files, create or delete users, and access all data on the machine.
Mitigation
According to the vendor's release notes [1], Admin By Request has been updated through multiple versions, with the latest being 8.7 (February 2026). Any user still running 6.1.0.0 should upgrade to the latest available version. No specific release date for a security fix is given for this CVE. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FastTrack/Admin By Requestdescription
- Range: =6.1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.