Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-12683

Severity CVSS v4.0:
MEDIUM
Type:
CWE-269 Improper Privilege Management
Publication date:
04/11/2025
Last modified:
04/11/2025

Description

The service employed by Everything, running as SYSTEM, communicates with the lower privileged Everything GUI via a named pipe. The named pipe has a NULL DACL and thus provides all users full permission over it; leading to potential Service Denial Of Service or Privilege escalation(only if chained with other elements) for a local low privilege user.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 5.80 MEDIUM
Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber

Attack Vector (AV): Local
Attack Complexity (AC): High
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Provider Urgency (U): Amber
Exploit Maturity (E): Unreported

Base Score 4.0
5.80
Severity 4.0
MEDIUM

References to Advisories, Solutions, and Tools