Description
The CorsairService Service in Corsair Utility Engine is installed with insecure default permissions, which allows unprivileged local users to execute arbitrary commands via modification of the CorsairService BINARY_PATH_NAME, leading to complete control of the affected system. The issue exists due to the Windows "Everyone" group being granted SERVICE_ALL_ACCESS permissions to the CorsairService Service.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/TheRealJoeDoran/CVE/blob/master/CVE-2018-12441/CVE-2018-12441.txt
Scores
CVSS v3
7.8
EPSS
0.0053
EPSS Percentile
40.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (5)
corsair/corsair_utility_engine
3.2.87
corsair/corsair_utility_engine
3.3.103
corsair/corsair_utility_engine
3.4.95
corsair/corsair_utility_engine
3.6.109
corsair/corsair_utility_engine
3.7.99
Published
Oct 11, 2018
Tracked Since
Feb 18, 2026