Hotspot Shield
CVE-2020-17365
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
AnalysisAI
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-59. Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application. Affected products include: Pango Hotspot Shield.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Hotspot Shield
View allHotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attac
Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. Rated high severity (CVSS 7.5), this vu
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today