Skip to main content

Windows CVE-2025-46355

| EUVDEUVD-2025-16715 HIGH
Incorrect Default Permissions (CWE-276)
2025-06-03 vultures@jpcert.or.jp
7.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16715
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
CVE Published
Jun 03, 2025 - 08:15 nvd
HIGH 7.3

DescriptionCVE.org

Incorrect default permissions issue in PC Time Tracer prior to 5.2. If exploited, arbitrary code may be executed with SYSTEM privilege on Windows system where the product is running by a local authenticated attacker.

AnalysisAI

PC Time Tracer versions prior to 5.2 contain an incorrect default permissions vulnerability (CWE-276) that allows local authenticated attackers to execute arbitrary code with SYSTEM privileges on Windows systems. The vulnerability requires local access and user interaction but provides complete system compromise capability. No KEV/CISA known exploited vulnerability status or public POC availability is confirmed from the provided data, though the CVSS 7.3 score and EPSS analysis should be monitored for exploitation likelihood.

Technical ContextAI

This vulnerability stems from improper file or registry permission assignments in PC Time Tracer, classified under CWE-276 (Incorrect Default Permissions). Windows-based applications often run with elevated privileges or interact with system resources; if default DACL (Discretionary Access Control List) configurations permit low-privileged users to modify executable files, DLLs, configuration files, or scheduled tasks owned by the application, privilege escalation becomes possible. The root cause likely involves file/directory permissions on application directories (typically C:\Program Files\PC Time Tracer or similar) that inadvertently grant write access to authenticated local users, enabling DLL injection, executable replacement, or configuration manipulation. CPE identification would be: cpe:2.3:a:*:pc_time_tracer:*:*:*:*:*:*:*:* (versions <5.2).

RemediationAI

  1. Immediate Patch: Upgrade PC Time Tracer to version 5.2 or later. Obtain the patch from the official vendor download portal or auto-update mechanism. 2. Pre-Patch Mitigation: Restrict file and directory permissions on the PC Time Tracer installation directory (typically C:\Program Files\PC Time Tracer) to remove write access for non-administrator users; use icacls or Group Policy to enforce ACLs removing authenticated user write permissions. 3. Access Control: Limit local login privileges to trusted users; disable remote access if not required. Monitor and restrict scheduled task execution triggered by the application. 4. Detection: Audit file modification events in the application directory and monitor for unexpected process elevation or DLL loading from the application folder.
CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH POC
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2013-10047 CRITICAL POC
9.3 Aug 01

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote

CVE-2012-10030 CRITICAL POC
9.3 Aug 05

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

Share

CVE-2025-46355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy