Security researchers uncovered a critical vulnerability in PDF24 Creator‘s MSI installer that lets attackers escalate privileges to SYSTEM level with disturbing ease. The flaw, designated CVE-2023-49147, affects versions up to 11.15.1 and carries a CVSS score of 7.8 – that’s HIGH for those keeping score at home.
Pretty terrifying when you think about how many businesses rely on PDF tools.
When common tools become attack vectors, the foundation of business security crumbles beneath our keyboards.
The exploit works through a clever trick. When running a repair function on the MSI installer, a cmd.exe window pops up with SYSTEM privileges. Normally, this window disappears quickly – blink and you’ll miss it. But attackers found they could freeze this process using an oplock on a specific log file. Game over.
What makes this vulnerability particularly nasty? No UAC popup appears during the attack. Zero warning. The attacker simply runs “msiexec.exe /fa” pointing to the PDF24 installer, sets the oplock, and boom – SYSTEM-level access. Full control of the victim’s machine.
And yes, there’s already a public proof-of-concept available online. Wonderful.
The attack requires local access and PDF24 Creator must be installed via MSI beforehand. Curiously, the EXE installer isn’t affected. Small mercies, right?
Geek Software GmbH, the vendor behind PDF24, released version 11.15.2 on December 8, 2023, patching this vulnerability. The fix came almost two months after discovery on October 16. Better late than never, I guess.
Users still running vulnerable versions should update immediately. The vulnerability specifically impacts the pdf24-PrinterInstall.exe subprocess which executes with elevated SYSTEM privileges during installation repair. Or switch to the EXE installer if they’re feeling particularly adventurous.
The exploitation chain relies on non-Edge browsers like Chrome or Firefox for initial setup. Once established, attackers gain complete system-level access. This means full control over everything. Absolutely everything.
Some users reported firewall alerts with pdf24-Toolbox.exe executing temporary .json files, but these appear unrelated to this specific vulnerability. Still. Not great for PR.
Security experts recommend a thorough security review by professionals immediately after installing the patch to ensure no backdoors were established before remediation.
