CVE-2022-48221
Description
An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. Multiple MSI's get executed out of a standard-user writable directory. Through a race condition and OpLock manipulation, these files can be overwritten by a standard user. They then get executed by the elevated installer. This gives a standard user full SYSTEM code execution (elevation of privileges).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Acuant AcuFill SDK before 10.22.02.03 allows standard users to overwrite MSI files via race condition, leading to SYSTEM code execution.
Vulnerability
Acuant AcuFill SDK before version 10.22.02.03 contains a privilege escalation vulnerability. Multiple MSI files are executed from a directory writable by standard users. Due to a race condition combined with OpLock manipulation, a standard user can overwrite these MSI files before the elevated installer executes them.
Exploitation
An attacker needs only standard user privileges on the affected system. By exploiting a race window and using OpLock operations, the attacker can overwrite the MSI files with malicious content before the installer accesses them. No additional authentication or network access is required.
Impact
Successful exploitation results in full SYSTEM-level code execution. The attacker gains elevated privileges, allowing complete control over the system, including the ability to install software, modify data, and create new accounts.
Mitigation
The vendor has addressed this issue in Acuant AcuFill SDK version 10.22.02.03. Administrators should update to this fixed version. No workaround details are provided in the available reference [1]. If updating is not possible, consider restricting write access to the affected directories, though no specific instructions are given.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Acuant/AcuFill SDKdescription
- Range: < 10.22.02.03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.