Skip to main content

Eluktronics Control Center CVE-2025-7883

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-07-20 cna@vuldb.com
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:15 vuln.today

DescriptionCVE.org

A vulnerability classified as critical has been found in Eluktronics Control Center 5.23.51.41. Affected is an unknown function of the file \AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to command injection. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Eluktronics Control Center 5.23.51.41 allows local authenticated users to execute arbitrary PowerShell commands with elevated privileges through the AiStoneService component. The vulnerability has public exploit code available (CVSS E:P) and affects a PC hardware control software, enabling local privilege escalation. Vendor was notified but did not respond, leaving the vulnerability unpatched. EPSS data not available, but the local-only attack vector (AV:L) and authentication requirement (PR:L) limit widespread exploitation risk despite the critical CVSS 7.1 score.

Technical ContextAI

The vulnerability resides in the PowerShell Script Handler component of Eluktronics Control Center, specifically in the AiStoneService at path \AiStoneService\MyControlCenter\Command. This is a CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) injection flaw, where the application fails to sanitize user-controlled input before passing it to PowerShell execution contexts. Eluktronics Control Center is a system utility for managing laptop hardware settings (fan curves, performance profiles, RGB lighting) on Eluktronics gaming laptops. The affected CPE (cpe:2.3:a:eluktronics:control_center:5.23.51.41) identifies version 5.23.51.41 specifically. The AiStoneService component likely runs with elevated system privileges to modify hardware settings, making command injection particularly dangerous as it can bypass Windows User Account Control and execute commands in a SYSTEM or administrator context.

RemediationAI

No vendor-released patch is available as Eluktronics did not respond to vulnerability disclosure. Immediate compensating controls: (1) Uninstall Eluktronics Control Center version 5.23.51.41 if hardware control features are not business-critical-this eliminates the attack surface but loses fan control and performance tuning capabilities. (2) Restrict local user privileges on affected systems to prevent standard users from accessing the AiStoneService component-implement least-privilege access controls and remove local administrator rights where possible, though this may limit legitimate hardware configuration. (3) Deploy application whitelisting (AppLocker, Windows Defender Application Control) to block execution of unauthorized PowerShell scripts, though this may interfere with legitimate Control Center operations. (4) Monitor process execution for suspicious PowerShell commands spawned by AiStoneService.exe or related Eluktronics processes using EDR telemetry. Users should check Eluktronics support channels or third-party laptop communities for any unofficial patches or updated software versions. Public exploit details available at https://drive.proton.me/urls/V5KQBBTH4G#VKpByTUTOWUW and VulDB entries 316998.

CVE-2023-5616 MEDIUM POC
4.9 Apr 15

In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use s

CVE-2022-21229 HIGH
7.8 Aug 18

Improper buffer restrictions for some Intel(R) NUC 9 Extreme Laptop Kit drivers before version 2.2.0.22 may allow an aut

CVE-2022-26669 MEDIUM
6.5 Jun 20

ASUS Control Center is vulnerable to SQL injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2022-26668 MEDIUM
6.5 Jun 20

ASUS Control Center API has a broken access control vulnerability. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2021-33408 MEDIUM
6.5 May 27

Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitr

CVE-2021-20528 MEDIUM
5.4 May 19

IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability i

CVE-2023-43052 MEDIUM
5.3 Mar 07

IBM Control Center 6.2.1 through 6.3.1 is vulnerable to an external service interaction attack, caused by improper valid

CVE-2021-20529 MEDIUM
5.3 May 19

IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further atta

CVE-2016-0252 MEDIUM
5.1 Jul 08

IBM Control Center 6.x before 6.0.0.1 iFix06 and Sterling Control Center 5.4.x before 5.4.2.1 iFix09 allow local users t

CVE-2025-7884 LOW
1.9 Jul 20

Eluktronics Control Center 5.23.51.41 permits local authenticated users to bypass data authenticity verification in the

CVE-2024-35114 MEDIUM
5.3 Jan 25

IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to enumerate usernames due to an observable discrepancy

CVE-2024-35113 MEDIUM
4.3 Jan 25

IBM Control Center 6.2.1 and 6.3.1 could allow an authenticated user to obtain sensitive information exposed through a d

Share

CVE-2025-7883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy