Product Cryptomato
Vendor Skymatic GmbH
Affected Versions <=1.9.2
Tested Versions 1.9.2
Subject Improper Privilege Management - CWE-269
Risk Level Medium
Solution Status Fixed
Manufacturer Notification Aug 3 2023
Solution Date Aug 7 2023
Public Disclosure Aug 7 2023
CVE Reference CVE-2023-39520
Author Matthias Zöllner, Cyvisory Group GmbH


The MSI installer provided on the homepage allows LPE for low privileged users, via the repair function.


The problem occurs, as the repair function of the MSI is spawning an SYSTEM Powershell without the -NoProfile parameter. Therefore the profile of the user starting the repair will be loaded.

Load attempts for the profile

Proof of Concept (PoC)

As a low privileged user do the following steps to reproduce:

  • Locate the msi installer under c:\windows\installer\ . You can also bring in a fresh one, as long as the version fits.

  • Generate a default profile for the user under %HOME%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1.

  • Add execution to the profile, e.g. Start-Process -FilePath cmd.exe -Wait;

  • Run the located installer with msiexec.exe /fa '.\Cryptomator-1.9.2-x64(1).msi'

  • A SYSTEM cmd will spawn

Alt text


Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.

Workaround / Fix

Adding the -NoProfile parameter to the powershell should help.

Disclosure Timeline

2023-08-03: Vulnerability discovered
2023-08-03: Vulnerability reported to manufacturer
2023-08-07: Fixed by Vendor



Found and reported by Matthias Zoellner from Cyvisory Group GmbH

E-Mail: [email protected]


The information provided in this security advisory is provided “as is” and without warranty of any kind.