CVE-2019-12574
HIGHPrivate Internet Access VPN Client v1.0 - Authenticated DLL Injection via Updater Library Loading
Title source: llmDescription
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process. The updater loads several libraries from a folder that authenticated users have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as SYSTEM.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12574.txt
Scores
CVSS v3
7.8
EPSS
0.0211
EPSS Percentile
79.4%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-426
Status
published
Products (1)
londontrustmedia/private_internet_access_vpn_client
1.0
Published
Jul 11, 2019
Tracked Since
Feb 18, 2026