CVE-2023-31468
Description
An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5). The "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder has weak permissions for Everyone, allowing an attacker to insert a Trojan horse file that runs as SYSTEM. 2024-1 is a fixed version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Inosoft/VisiWin 7description
Patches
Vulnerability mechanics
Root cause
"Incorrect default permissions on the VisiWin installation directory allow low-privileged users to add or modify files that execute with SYSTEM privileges."
Attack vector
An attacker with low-privileged local access to the system can place a Trojan horse file into the "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder because the directory has weak permissions for Everyone [CWE-276]. When VisiWin subsequently runs (e.g., as a service or SYSTEM-level process), it loads the attacker's malicious file, resulting in privilege escalation to SYSTEM [ref_id=1]. The attack requires no user interaction beyond the attacker having a local user account (AV:L/PR:L/UI:N) [ref_id=2].
Affected code
The vulnerability resides in the directory permissions of the "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder created by Inosoft VisiWin 7 (Runtime RT7.3 RC3 20221209.5 and prior versions). The advisory does not specify a particular source file or function; the defect is in the installer or runtime that creates this folder with weak default permissions [ref_id=1].
What the fix does
Inosoft recommends updating to VisiWin version 2024-1, which is the fixed version [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are unknown; however, the fix presumably corrects the default permissions on the "%PROGRAMFILES(X86)%\INOSOFT GmbH" directory so that low-privileged users cannot add or modify files that will later execute with SYSTEM privileges [ref_id=1].
Preconditions
- authAttacker must have a low-privileged local user account on the affected Windows system
- configThe VisiWin software must be installed and the '%PROGRAMFILES(X86)%\INOSOFT GmbH' directory must have weak default permissions
- inputThe system must run VisiWin (e.g., as a service or SYSTEM-level process) after the attacker has placed the malicious file
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- packetstormsecurity.com/files/174268/Inosoft-VisiWin-7-2022-2.1-Insecure-Permissions-Privilege-Escalation.htmlmitre
- cwe.mitre.org/data/definitions/276.htmlmitre
- www.cisa.gov/news-events/ics-advisories/icsa-24-151-03mitre
- www.exploit-db.com/exploits/51682mitre
- www.first.org/cvss/calculator/3.1mitre
- www.first.org/cvss/calculator/4.0mitre
- www.inosoft.com/en/news-details/news/neue-visiwin-version-2024-1mitre
News mentions
0No linked articles in our index yet.