WithSecure Repository: Vulnerabilities & Tactics, Techniques and Procedures

Local privilege escalation by file manipulation in FileWave

In non-default custom configurations, FileWave Windows clients (v15.5.2 and earlier) allowed local, non-privileged users to escalate privileges to SYSTEM. This issue has been resolved in FileWave v16.0.0.

When deploying Filesets in FileWave, it is possible to include a Verification Script that runs every 24 hours or at system restart on Windows and macOS. Additionally, you might have a Requirements Script that runs every 2 minutes to test for a condition needed to install something.

These scripts are typically used for tasks such as re-applying Group Policy settings using tools like LGPO.exe on Windows. However, if an executable (like LGPO.exe) is replaced by a non-administrator, there is a risk that the malicious replacement could be executed with elevated privileges (SYSTEM on Windows or root on macOS).

By default, Filesets benefit from a self-healing mechanism. If an executable is modified, the Fileset will restore the original file before the Verification Script executes.

However, there is one scenario where this self-healing protection does not apply: the Blocker Script, which by default runs every 5 minutes. Its more frequent execution window could allow a local user to replace an executable before the next Fileset verification occurs.

ID: WITH-ZD-2025-0001
Application detailed category: management_service
Application super category: local_service
Cvss v3: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Preconditions needed for attacker: local_user_level_access_required, non_default_configuration_of_service_required
References: https://kb.filewave.com/books/filesets-payloads/page/mitigating-privilege-escalation-in-fileset-executables
Version: 1.0