Researchers on Thursday reported on a local privilege escalation in Kaspersky’s VPN Secure Connection for Microsoft Windows.
In a blog post, the Synopsys Cybersecurity Research Center, said the vulnerability — CVE-2022-27535 — would potentially let an attacker leverage Arbitrary Folder Delete to SYSTEM EoP to gain an escalation of privileges (EoPs).
Kaspersky officials released a statement that said its team has closed a vulnerability in the Kaspersky VPN Secure Connection that let an authenticated attacker trigger arbitrary file deletion in the system. They said it could lead to device malfunction or the removal of important system files required for correct system operation.
The Kaspersky team said to execute this attack, an intruder had to create a specific file and convince users to run “Delete all service data and reports” or “Save report on your computer” product features.
To fix the vulnerability, the Kaspersky team recommended users check the app version they are running and install the latest one. The affected versions include Kaspersky VPN Secure Connection prior to 21.6
