CVE-2019-19954

HIGH

Signal-desktop < 1.29.1 - Uncontrolled Search Path

Title source: rule

Description

Signal Desktop before 1.29.1 on Windows allows local users to gain privileges by creating a Trojan horse %SYSTEMDRIVE%\node_modules\.bin\wmic.exe file.

References (2)

[Exploit, Patch, Third Party Advisory] https://blog.mirch.io/2019/12/18/signal-desktop-windows-lpe/

[Patch] https://github.com/signalapp/Signal-Desktop/commit/2da39cca673cc11be3c6d70d4fb95889f9ab6688

View Patch ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0014

EPSS Percentile 33.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

signal/signal-desktop < 1.29.1

Timeline

Published Dec 24, 2019

Tracked Since Feb 18, 2026