CVE-2016-15045
HIGHlastore-daemon <0.9.66-1 - Privilege Escalation
Title source: llmDescription
A local privilege escalation vulnerability exists in lastore-daemon, the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co., Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7), the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon, resulting in arbitrary code execution as root.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/44523
metasploit
WORKING POC
EXCELLENT
by King, , # Discovery and exploit · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb
References (6)
Scores
CVSS v4
8.5
EPSS
0.0138
EPSS Percentile
80.3%
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
CWE
CWE-269
CWE-306
Status
published
Products (2)
Wuhan Deepin Technology Co., Ltd./Deepin Linux
0.9.53-1 (Deepin 15.5)
Wuhan Deepin Technology Co., Ltd./Deepin Linux
0.9.66-1 (Deepin 15.7)
Published
Jul 23, 2025
Tracked Since
Feb 18, 2026