CVE-2009-2564

NOS Microsystems getPlus Download Manager - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-2564. PoCs published by Jeremy Brown, Nine:Situations:Group.

AI-analyzed exploit summary This exploit leverages improper file permissions on the Adobe Acrobat 9.1.2 NOS GetPlus_HelperSvc.exe service to replace it with a malicious binary, achieving local privilege escalation. The secondary binary adds a new administrator user via command execution.

Description

NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6.2.36 and possibly other versions, Corel getPlus Download Manager before 1.5.0.48, and possibly other products, installs NOS\bin\getPlus_HelperSvc.exe with insecure permissions (Everyone:Full Control), which allows local users to gain SYSTEM privileges by replacing getPlus_HelperSvc.exe with a Trojan horse program, as demonstrated by use of getPlus Download Manager within Adobe Reader. NOTE: within Adobe Reader, the scope of this issue is limited because the program is deleted and the associated service is not automatically launched after a successful installation and reboot.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Jeremy Brown · textlocalwindows
https://www.exploit-db.com/exploits/9223

This exploit leverages improper file permissions on the Adobe Acrobat 9.1.2 NOS GetPlus_HelperSvc.exe service to replace it with a malicious binary, achieving local privilege escalation. The secondary binary adds a new administrator user via command execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Adobe Acrobat 9.1.2 NOS GetPlus_HelperSvc
No auth needed
Prerequisites: Adobe Acrobat 9.1.2 with NOS installed · Local access to the system · GetPlus_HelperSvc.exe with weak file permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Nine:Situations:Group · textlocalwindows
https://www.exploit-db.com/exploits/9199

This writeup describes a local privilege escalation vulnerability in Adobe's getPlus_HelperSvc.exe due to improper file permissions, allowing users to replace the executable with a malicious binary that runs with SYSTEM privileges on reboot.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Adobe getPlus_HelperSvc.exe (shipped with Acrobat Reader 9.x)
Auth required
Prerequisites: Local access to the system · Presence of vulnerable getPlus_HelperSvc.exe with weak permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9199
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-286B.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023007
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5719
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35740
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1969
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54383
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35930
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/505095/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2898
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36331

Scores

EPSS 0.0560
EPSS Percentile 91.9%

Details

CWE
CWE-264
Status published
Products (4)
adobe/acrobat_reader 9.0
adobe/acrobat_reader 9.1
corel/getplus_download_manager 1.5.0.48
nos_microsystems/getplus_download_manager 1.6.2.36
Published Jul 21, 2009
Tracked Since Feb 18, 2026