Skip to main content

Eluktronics Control Center CVE-2025-7884

LOW
Insufficient Verification of Data Authenticity (CWE-345)
2025-07-20 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:24 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic was found in Eluktronics Control Center 5.23.51.41. Affected by this vulnerability is an unknown functionality of the component REG File Handler. The manipulation leads to insufficient verification of data authenticity. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Eluktronics Control Center 5.23.51.41 permits local authenticated users to bypass data authenticity verification in the REG File Handler component, resulting in potential information disclosure. The vulnerability requires local access and authenticated privileges but carries minimal real-world impact given the CVSS 1.9 score and EPSS exploitation probability of 0.01% (third percentile). Public exploit code has been disclosed, though vendor has not responded to disclosure notifications.

Technical ContextAI

The vulnerability resides in the REG File Handler component of Eluktronics Control Center, a system utility software for managing laptop hardware and performance settings. The root cause is classified as CWE-345 (Insufficient Verification of Data Authenticity), indicating the component fails to properly validate the integrity or authenticity of registry file data it processes. The affected component likely handles Windows Registry files (.reg format) during import, export, or modification operations. An authenticated local user can manipulate registry file inputs to bypass signature or integrity checks, allowing unauthorized modification or inspection of sensitive configuration data. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) confirms the attack requires local access to the system and authenticated user privileges, with no user interaction required, but impact is limited to integrity of information rather than confidentiality or availability.

RemediationAI

No vendor-released patch has been identified at time of analysis; the vendor did not respond to early disclosure notification. Users of Eluktronics Control Center 5.23.51.41 should consider the following compensating controls: restrict local system access to trusted users only, enforce strong authentication (complex passwords, multi-factor authentication if available) to reduce the likelihood of unauthorized local login; disable or restrict the REG File Handler component if not actively used in your deployment, as disabling unused functionality eliminates the attack surface; monitor Registry import and export operations through Windows Event Viewer or endpoint detection tools to detect suspicious REG file manipulation attempts; apply Windows Group Policy restrictions to prevent non-administrative users from modifying HKEY_LOCAL_MACHINE registry hives, which may prevent malicious registry file imports; regularly audit user permissions on systems running Control Center to ensure principle of least privilege. Given the minimal CVSS and EPSS scores, patching this vulnerability is lower priority than addressing higher-severity issues, but these controls are low-cost to implement.

CVE-2023-5616 MEDIUM POC
4.9 Apr 15

In Ubuntu, gnome-control-center did not properly reflect SSH remote login status when the system was configured to use s

CVE-2022-21229 HIGH
7.8 Aug 18

Improper buffer restrictions for some Intel(R) NUC 9 Extreme Laptop Kit drivers before version 2.2.0.22 may allow an aut

CVE-2025-7883 HIGH
7.1 Jul 20

Command injection in Eluktronics Control Center 5.23.51.41 allows local authenticated users to execute arbitrary PowerSh

CVE-2022-26669 MEDIUM
6.5 Jun 20

ASUS Control Center is vulnerable to SQL injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2022-26668 MEDIUM
6.5 Jun 20

ASUS Control Center API has a broken access control vulnerability. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2021-33408 MEDIUM
6.5 May 27

Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitr

CVE-2021-20528 MEDIUM
5.4 May 19

IBM Control Center 6.2.0.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability i

CVE-2023-43052 MEDIUM
5.3 Mar 07

IBM Control Center 6.2.1 through 6.3.1 is vulnerable to an external service interaction attack, caused by improper valid

CVE-2021-20529 MEDIUM
5.3 May 19

IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further atta

CVE-2016-0252 MEDIUM
5.1 Jul 08

IBM Control Center 6.x before 6.0.0.1 iFix06 and Sterling Control Center 5.4.x before 5.4.2.1 iFix09 allow local users t

CVE-2024-35114 MEDIUM
5.3 Jan 25

IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to enumerate usernames due to an observable discrepancy

CVE-2024-35113 MEDIUM
4.3 Jan 25

IBM Control Center 6.2.1 and 6.3.1 could allow an authenticated user to obtain sensitive information exposed through a d

Share

CVE-2025-7884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy