A privilege escalation vulnerability, identified as CVE-2025-14018, has been discovered in NetBT e-Fatura version 2024. The flaw is categorized as CWE-428 (Unquoted Search Path or Element) within the 'InboxProcessor' service. This allows local attackers to exploit the service's configuration to execute arbitrary code with SYSTEM privileges on Windows Server environments.
The exploit relies on the fact that the service binary path is unquoted and the directory permissions on the application folder allow 'Builtin Users' read and write access. By placing a malicious executable in the search path, an unauthorized local user can intercept the service start process and elevate their permissions to the highest level.
Top comments (0)