CVE-2022-26238

Vulnerability

The Normand Service Manager, part of Beckman Coulter Remisol Advance v2.0.12.1 and prior, installs with default permissions that allow any local user to overwrite or manipulate its executables (e.g., ServiceManager.exe) and associated libraries [1][2]. This insecure file permission configuration affects all installations of the affected versions on Windows systems.

Exploitation

An attacker must first obtain low-privileged access to a workstation running the affected software — such access may be gained via a weak or default vendor password [2]. The attacker then replaces the Normand Service Manager executable or one of its libraries with a malicious binary. After replacing the file, the attacker must restart the service or reboot the machine; when the service starts, the malicious binary executes with the privileges of the SYSTEM account [2].

Impact

Successful exploitation results in arbitrary code execution as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows host [2]. This gives the attacker full control over the affected system, including the ability to access sensitive data, install persistent backdoors, and pivot to other network resources.

Mitigation

No official vendor patch is referenced in the available materials [1][2]. The recommended fix is to manually correct the file system permissions on the Normand Service Manager installation directory so that non-privileged users cannot overwrite executables or libraries [2]. Users should also ensure that workstations are protected with strong, unique passwords [2].