CVE-2020-12431
MEDIUMSplashtop Software Updater <1.5.6.16 - Privilege Escalation
Title source: llmDescription
A Windows privilege change issue was discovered in Splashtop Software Updater before 1.5.6.16. Insecure permissions on the configuration file and named pipe allow for local privilege escalation to NT AUTHORITY/SYSTEM, by forcing a permission change to any Splashtop files and directories, with resultant DLL hijacking. This product is bundled with Splashtop Streamer (before 3.3.8.0) and Splashtop Business (before 3.3.8.0).
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360042648231-Splashtop-Streamer-version-3-3-8-0-for-Windows-released-includes-SOS-version-3-3-8-0
Exploit, Third Party Advisory x_refsource_misc
https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-splashtop-streamer
Scores
CVSS v3
6.6
EPSS
0.0008
EPSS Percentile
23.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-732
Status
published
Products (2)
splashtop/software_updater
< 1.5.6.16
splashtop/streamer
< 3.3.8.0 (2 CPE variants)
Published
May 21, 2020
Tracked Since
Feb 18, 2026