CVE-2025-63421

Vulnerability

Overview

CVE-2025-63421 is a local privilege escalation vulnerability in Filosoft Comerc.32 Commercial Invoicing v.16.0.0.3. During installation via comeinst.exe, the installer drops a file named setup.exe into a temporary folder under C:\Users\\AppData\Local\Temp\{random-UID}\Disk1\. Because the user has write permissions on this folder, an attacker with local access can replace the legitimate setup.exe with a malicious binary before the installation process finishes [1].

Exploitation

The attacker must be able to write to the temporary folder, which is accessible with a low integrity token or without an administrator shell. The installer does not validate the integrity of setup.exe before copying it to the final installation directory at C:\Program Files (x86)\InstallShield Installation Information\{random-uid}\setup.exe. When the victim later uninstalls the program via the Control Panel, the malicious setup.exe is executed. The uninstall process triggers a UAC elevation, which partially obfuscates the backdoor execution and can allow lateral movement depending on the user context [1].

Impact

Successful exploitation allows a local attacker to execute arbitrary code with elevated privileges during the uninstall process. This can lead to full system compromise of the affected system and potential lateral movement within a network [1].

Mitigation

As of the publication date, no official patch has been announced by Filosoft [2]. Users should restrict local access to trusted users and monitor the temporary folder during software installations. The vendor's website does not mention a fix [2].