Overview of ASSA ABLOY Visionline

Visionline is a networked access management platform developed by ASSA ABLOY for centralized control of electronic locks and access points. It is widely deployed in hospitality and commercial environments to manage door access, key card issuance, and security policies. The Visionline server component runs as a privileged Windows service and includes a built-in web server for administration.

Vulnerability Description

WithSecure Exposure Management identified a local privilege escalation vulnerability in ASSA ABLOY Visionline versions prior to 1.33 on Windows. The Visionline web server component is installed into a directory under C:\ProgramData\ASSA ABLOY\Visionline\webserver\ that inherits overly permissive default access controls. As a result, local non-privileged users have write access to executable files within this path.

Because the Visionline service executes these files with elevated privileges, a local attacker with low-privilege access can replace a legitimate executable with a malicious one. When the service subsequently executes the modified file, the attacker-controlled code runs with the privileges of the Visionline service, resulting in local privilege escalation.

The root cause is a combination of incorrect default permissions on a critical resource (CWE-276, CWE-732) and execution with unnecessary privileges (CWE-250).

Affected Software:
ASSA ABLOY Visionline versions from 1.0 before 1.33

Resolution:
Update to Visionline version 1.33 or later.

Workaround:
Restrict permissions on the folder C:\ProgramData\ASSA ABLOY\Visionline\webserver\ by disabling permission inheritance and removing the Users group from the access control list.