Product Securepoint SSL VPN Installer
Vendor Securepoint GmbH
Affected Versions <= 2.0.39
Tested Versions 2.0.39
Subject Improper Privilege Management - CWE-269
Risk Level Medium
Solution Status fixed
Manufacturer Notification Aug 8 2023
Solution Date Aug 25 2023
Public Disclosure Oct 13 2023
CVE Reference CVE-2023-47101
Author Matthias Zöllner, Cyvisory Group GmbH


The MSI installer provided for Securepoint SSL VPN Installer on the homepage allows LPE for low privileged users, via the repair function.


The problem occurs, as the repair function of the MSI is spawning an administrative cmd. If caught, LPE is possible via a very simple breakout.

Proof of Concept (PoC)

As a low privileged user do the following steps to reproduce:

  • Locate the msi installer under c:\windows\installer\. The installer gets cached here as long as the software is installed.

  • Run the located installer with msiexec.exe /fa C:\Windows\Installer\2847d63.msi

  • When the installer runs, note that there is a cmd window flickering.

  • Catch the cmd, by quickly selecting some text

  • To make it easier to catch the window, the script runtime can be extended by adding a lot of files that will be deleted by the script
    1..50000 | foreach { new-item -path "C:\Users\dev\AppData\Roaming\Securepoint SSL VPN\$_.txt"}

  • Spawn a new SYSTEM cmd via: cmd -> properties -> “legacy console mode” Link -> Internet Explorer -> CTRL+O -> cmd.exe

The cmd command running

Catched cmd running in SYSTEM context

Spawned SYSTEM cmd


Local Elevation of Privileges. On every machine, where the msi installer still can be found or can be brought to.

Workaround / Fix

The CustomAction from the msi should not spawn a visible window.

Disclosure Timeline

2023-08-07: Vulnerability discovered
2023-08-08: Vulnerability reported to manufacturer
2023-08-25: Manufacturer fixed the issue



Found and reported by Matthias Zoellner from Cyvisory Group GmbH

E-Mail: [email protected]


The information provided in this security advisory is provided “as is” and without warranty of any kind.