Description
Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot.
References (4)
Core 4
Core References
Exploit, Third Party Advisory third-party-advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5812.php
Third Party Advisory exploit
https://packetstormsecurity.com/files/177260/
Product vendor-advisory
https://www.tosi.net/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/tosibox-key-service-local-privilege-escalation-via-unquoted-service-path
Scores
CVSS v3
7.8
EPSS
0.0020
EPSS Percentile
9.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-428
Status
published
Products (1)
tosi/tosibox_key
< 3.3.0
Published
Dec 30, 2025
Tracked Since
Feb 18, 2026