WithSecure Repository: Threat Intelligence

Local privilege escalation by file manipulation in Docusnap

A race condition vulnerability was discovered in outdated versions of Docusnap (Version 12 and older builds of Version 13), which allows local privilege escalation.


During an inventory process, the DocusnapServer.exe process creates a temporary executable file named DiscoveryWindows_[GUID].exe in the directory: C:\ProgramData\Docusnap\Temp\


This directory was writable by all users at the time. Since the file was executed with elevated privileges a few seconds later, attackers had a 1–3 second window to replace it with a manipulated version and thus execute arbitrary code with SYSTEM privileges.


Cause:
Missing access restrictions on C:\ProgramData\Docusnap\Temp\
Time gap between file creation and execution allowed for manipulation


Fix in Current Versions:
The vulnerability has been resolved in the latest versions of Docusnap 13 and 14.


Recommended Actions for Older Versions: Update to a current Docusnap version.
Alternatively: Manually restrict permissions on the folder C:\ProgramData\Docusnap\Temp\ so that only the Docusnap service account has write access.



ID: WITH-ZD-2025-0002
Other IDs: CVE-2025-30094
Application Detailed Category: unspecified_service
Application Super Category: local_service
CVSS v3: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Preconditions Needed For Attacker: local_user_level_access_required
References: https://docs.docusnap.com/en/release-notes/security-advisories/cve-2025-30094/
Version: 1.0