CVE-2024-57394
Description
Low-privilege users can restore quarantined files to arbitrary paths in Qi-ANXIN Tianqing EDR v10.0, enabling DLL hijacking for privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Low-privilege users can restore quarantined files to arbitrary paths in Qi-ANXIN Tianqing EDR v10.0, enabling DLL hijacking for privilege escalation.
Vulnerability
The quarantine-restore function in Qi-ANXIN Tianqing Endpoint Security Management System v10.0 allows users to restore a quarantined file to an arbitrary file path, including system directories such as C:\Windows\System32. This vulnerability was identified and tested on version 10.0 [1].
Exploitation
An attacker with low privileges can craft a malicious DLL (e.g., sprintcsp.dll) that executes arbitrary commands. The DLL is placed on the target machine and becomes quarantined by the EDR. The attacker then uses the restore function to restore and trust the file, writing it to C:\Windows\System32. Subsequently, the attacker creates RpcClient.exe to exploit a known DLL hijacking vulnerability in the StorSvc service, causing the malicious DLL to be loaded and executed with SYSTEM privileges [1].
Impact
Successful exploitation allows an attacker to escalate privileges from a low-privilege user to SYSTEM. The attacker can execute arbitrary code with SYSTEM privileges, such as creating a new service and running a binary as SYSTEM [1].
Mitigation
As of the publication date (2025-04-21), no official patch has been released by Qi-ANXIN. Users should restrict access to the quarantine-restore function or monitor for unusual file restores to system paths. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path validation in the quarantine-restore function allows a low-privilege user to restore a quarantined file to an arbitrary filesystem location."
Attack vector
An attacker crafts a malicious DLL (e.g., sprintcsp.dll) and lands it on the target machine, where the EDR quarantines it. Using the quarantine-restore function, the attacker restores the file to an arbitrary path such as C:\Windows\System32 [ref_id=1]. The attacker then triggers a known Windows DLL hijacking vulnerability (e.g., in the StorSvc service) to execute the malicious DLL, escalating privileges to SYSTEM [ref_id=1].
Affected code
The bundle does not identify specific source files or functions. The vulnerability resides in the quarantine-restore function of the Qi-ANXIN Tianqing Endpoint Security Management System v10.0 client [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify whether Qi-ANXIN has released a fix for version 10.0 [ref_id=1]. Remediation would require the vendor to enforce path validation on the restore function, restricting restoration to the original quarantine directory and preventing writes to sensitive system paths such as C:\Windows\System32.
Preconditions
- authAttacker must have low-privilege user access to the Qi-ANXIN Tianqing Endpoint Security Management System client.
- inputAttacker must craft a malicious DLL file and land it on the target machine so it is quarantined by the EDR.
- configThe target system must have a vulnerable Windows service (e.g., StorSvc) susceptible to DLL hijacking.
Reproduction
1. Craft a malicious DLL named sprintcsp.dll that executes malicious commands. 2. Land the DLL on the target machine so the EDR quarantines it. 3. Use the EDR client to restore and trust the file, specifying the destination path as C:\Windows\System32. 4. Create RpcClient.exe to trigger a DLL hijacking vulnerability in the StorSvc service, causing it to load sprintcsp.dll from System32. The DLL will create a service named abc and execute C:\Users\Public\test.exe as SYSTEM [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.