CVE-2019-7588

MEDIUM

exacqVision ESM <5.12.2 - Privilege Escalation

Title source: llm

Description

A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. Authorized Users have ‘modify’ permission to the ESM folders, which allows a low privilege account to modify files located in these directories. An executable can be renamed and replaced by a malicious file that could connect back to a bad actor providing system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above.

References (4)

Core 4

Core References

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-19-164-01

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/151691/exacqvisionesm5122-escalate.txt

Mitigation, Vendor Advisory x_refsource_confirm

https://exacq.com/kb?crc=31399

Mitigation, Third Party Advisory x_refsource_confirm

https://www.johnsoncontrols.com/-/media/jci/be/united-states/specialty-pages/product-security/files/cpp-psa-2019-01-v2-exacqvision-esm.pdf

Scores

CVSS v3 6.7

EPSS 0.0073

EPSS Percentile 49.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-276

Status published

Products (1)

exacq/enterprise_system_manager < 5.12.2

Published Jun 18, 2019

Tracked Since Feb 18, 2026