Full Report
Privilege escalation vulnerability (CVE-2024-9150) has been found in Wyn Enterprise software.
Analysis Summary
# Vulnerability: Privilege Escalation in Wyn Enterprise via Template Engine Abuse
## CVE Details
- CVE ID: CVE-2024-9150
- CVSS Score: *Score not explicitly provided, but context implies High severity due to privilege escalation*
- CWE: CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine)
## Affected Systems
- Products: Wyn Enterprise
- Versions: All versions before 8.0.00204.0
- Configurations: Requires a low-privilege attacker account to trigger the functionality.
## Vulnerability Description
The vulnerability exists within the report generation functionality of Wyn Enterprise. It allows for improper limitation of code inclusion within the template engine. A low-privilege user can abuse this flawed functionality to achieve code inclusion, which enables the execution of malicious code, loading of DLL libraries, and execution of OS commands on the host system with the application's (high) privileges. This constitutes a successful Privilege Escalation.
## Exploitation
- Status: *Not explicitly stated, assume unconfirmed/PoC likely exists given disclosure coordination*
- Complexity: Low (Requires only a low privileges account)
- Attack Vector: Local (Requires access to leverage the functionality from within the application context, likely via a low-privileged user session)
## Impact
- Confidentiality: High (Execution of OS commands can lead to data exfiltration)
- Integrity: High (Ability to execute arbitrary code and load DLLs)
- Availability: High (Ability to execute OS commands can lead to service instability or shutdown)
## Remediation
### Patches
- Wyn Enterprise version **8.0.00204.0** and later.
### Workarounds
- No specific workarounds are detailed in the source material. Focus immediately on patching.
## Detection
- Detection methods are not explicitly provided. Monitoring for unexpected process execution or DLL loading originating from the Wyn Enterprise process context should be prioritized post-disclosure.
## References
- [Vendor advisories](https://www.cve.org/CVERecord?id=CVE-2024-9150)
- [CERT Polska Report](https://cert.pl/en/posts/2025/02/vulnerability-in-wyn-enterprise-software/)