CVE-2022-48222

HIGH

Gbgplc Acuant Acufill SDK < 10.22.02.03 - Uncontrolled Search Path

Title source: rule

Description

An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. During SDK installation, certutil.exe is called by the Acuant installer to install certificates. This window is not hidden, and is running with elevated privileges. A standard user can break out of this window, obtaining a full SYSTEM command prompt window. This results in complete compromise via arbitrary SYSTEM code execution (elevation of privileges).

References (2)

[Not Applicable] https://acuant.com

[Third Party Advisory] https://hackandpwn.com/disclosures/CVE-2022-48222.pdf

Scores

CVSS v3 7.8

EPSS 0.0006

EPSS Percentile 19.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

gbgplc/acuant_acufill_sdk < 10.22.02.03

Timeline

Published Apr 04, 2023

Tracked Since Feb 18, 2026