CVE-2021-44466
Description
Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw due to improper access controls. When the software is installed with a non-default installation directory off of the system root, the installer fails to properly set ACLs. This allows lower privileged users to replace the VPN executable with a malicious one. When a higher privileged user such as an Administrator launches that executable, it is possible for the lower privileged user to escalate to Administrator privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bitmask Riseup VPN 0.21.6 installation in a non-default directory fails to set proper ACLs, allowing a low-privileged user to replace the executable and escalate to Administrator.
Vulnerability
In Bitmask Riseup VPN version 0.21.6 (the latest version on bitmask.net/en/install, marked as 0.21.2), when the software is installed on Windows 10 in a non-default installation directory off of the system root, the installer fails to properly set access control lists (ACLs) on the VPN executable. This misconfiguration leaves the executable writable by lower-privileged users [1].
Exploitation
A low-privileged user who can write to the vulnerable installation directory can replace the legitimate VPN executable with a malicious one. When a higher-privileged user, such as an Administrator, later launches that executable, the malicious code runs at the elevated privilege level [1].
Impact
Successful exploitation allows the low-privileged attacker to escalate their privileges to Administrator, achieving full control over the system. The impact is a complete compromise of confidentiality, integrity, and availability at the highest privilege level [1].
Mitigation
Users should upgrade to Bitmask Riseup VPN version 0.21.11 or later, which fixes the ACL issue. No workaround is available for version 0.21.6; the only mitigation is to ensure the software is installed using the default installation directory (under %ProgramFiles% or similar), which is not affected [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Bitmask/Riseup VPNdescription
- Range: =0.21.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.tenable.com/security/research/tra-2021-58mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.