CVE-2025-34290
Unknown Unknown - Not Provided
Local Privilege Escalation in Versa SASE Client via Audit Log Export

Publication date: 2025-12-20

Last updated on: 2025-12-20

Assigner: VulnCheck

Description
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-20
Last Modified
2025-12-20
Generated
2026-05-07
AI Q&A
2025-12-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-34290
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
versa versa_sase_client 7.9.4
versa versa_sase_client 7.8.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-34290 is a local privilege escalation vulnerability in the Versa SASE Client for Windows (versions 7.8.7 to 7.9.4). It occurs in the audit log export functionality where the client sends user-controlled file paths to a privileged service. This service performs file system operations without impersonating the requesting user, leading to improper privilege handling. Combined with a time-of-check time-of-use (TOCTOU) race condition and manipulation of symbolic links and mount points, a local authenticated attacker can trick the service into deleting arbitrary directories with SYSTEM privileges. This can result in deletion of protected system folders like C:\Config.msi and enable execution as NT AUTHORITY\SYSTEM via MSI rollback techniques. [1]


How can this vulnerability impact me? :

This vulnerability can allow a local authenticated attacker to escalate their privileges to SYSTEM level on a vulnerable Windows machine. By exploiting the vulnerability, the attacker can delete critical system directories and execute code with NT AUTHORITY\SYSTEM privileges, potentially leading to full system compromise, unauthorized access, and control over the affected system. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the Versa SASE Client for Windows to version 7.9.5 or later, as versions from 7.8.7 up to but not including 7.9.5 are affected. Additionally, restrict local authenticated user access to the audit log export functionality and monitor for any suspicious file system operations involving symbolic links or mount points to prevent exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart