CVE-2022-48225

Vulnerability

Acuant AcuFill SDK before version 10.22.02.03 contains a DLL hijacking vulnerability during the installation of the Gemalto Document Reader child process. The installer attempts to load multiple non-existent DLLs from a standard-user writable directory, which does not exist by default. This allows an attacker to place a malicious DLL in that location to be executed with elevated privileges.

Exploitation

An attacker must have the ability to write files to the system (standard user privileges) and place a malicious DLL in the path where the installer looks for the missing DLLs. The Gemalto Document Reader installation runs with elevated privileges, so when it attempts to load the non-existent DLL, it will instead load the attacker's DLL from the writable directory. No user interaction beyond the normal installation process is required.

Impact

Successful exploitation grants the attacker arbitrary code execution in the context of the installer, which runs with elevated (SYSTEM) privileges. This can lead to full compromise of the affected system, including installation of malware, persistence, or unauthorized data access.

Mitigation

The vulnerability is fixed in Acuant AcuFill SDK version 10.22.02.03 and later [1]. Users should update to the latest version immediately. There is no workaround other than applying the patch, as the issue lies in the installer's loading behavior. No CISA KEV listing has been published at this time.