CVE-2025-6241
Description
LsiAgent.exe, a component of SysTrack from Lakeside Software, attempts to load several DLL files which are not present in the default installation. If a user-writable directory is present in the SYSTEM PATH environment variable, the user can write a malicious DLL to that directory with arbitrary code. This malicious DLL is executed in the context of NT AUTHORITY\SYSTEM upon service start or restart, due to the Windows default dynamic-link library search order, resulting in local elevation of privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LsiAgent.exe in SysTrack loads missing DLLs from SYSTEM PATH, allowing local users to plant malicious DLLs for privilege escalation to SYSTEM.
Vulnerability
Overview
LsiAgent.exe, a component of Lakeside Software's SysTrack endpoint monitoring agent, attempts to load several Dynamic Link Library (DLL) files that are not present in the default installation. Among these is wdapi.dll, used to detect virtualized Citrix environments. The executable searches for these DLLs by iterating through the directories listed in the SYSTEM PATH environment variable. If a user-writable directory exists in that path, an attacker can place a malicious DLL with the expected name there. Due to the Windows default dynamic-link library search order, LsiAgent.exe loads the attacker's DLL when it starts, executing arbitrary code in the security context of NT AUTHORITY\SYSTEM [1].
Exploitation
Prerequisites
Exploitation requires local access to the target system and the ability to write a file into a directory that is part of the SYSTEM PATH environment variable. No additional authentication is needed beyond the attacker's existing local user privileges. The attacker must know the name of a DLL that LsiAgent.exe attempts to load (e.g., wdapi.dll) and place a malicious version in a user-writable directory that appears earlier in the SYSTEM PATH than the intended location. The attack can be triggered by restarting the LsiAgent service or waiting for the system to reboot, as LsiAgent.exe runs automatically with default installation settings [1].
Impact
Successful exploitation grants the attacker code execution with SYSTEM-level privileges, the highest level of access on a Windows system. This allows the attacker to install programs, view, change, or delete data, create new accounts with full user rights, and perform any other action available to the operating system. The vulnerability effectively bypasses standard user account controls and can lead to complete compromise of the affected endpoint [1].
Mitigation
Lakeside Software has addressed this vulnerability in SysTrack version 10.10.0.42 and later. Users are advised to update their SysTrack installation to this version or any subsequent release. No workaround is documented; the only reliable mitigation is applying the vendor-supplied patch [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.