CVE-2025-63421
Arbitrary Code Execution in filosoft Comerc.32 comeinst.exe
Publication date: 2026-02-12
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filosoft | comerc | 16.0.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-63421 is a vulnerability in Filosoft Comerc.32 Commercial Invoicing version 16.0.0.3 that allows a local attacker to execute arbitrary code via the comeinst.exe installer file.
During installation, the installer drops a setup.exe file into a user-writable temporary folder. Because users have write permissions in this folder, an attacker can replace the legitimate setup.exe with a malicious backdoor executable before installation completes.
The installer does not verify the integrity of setup.exe before copying it to the final installation directory. This backdoor is triggered during the uninstall process, which elevates privileges via User Account Control (UAC), allowing the backdoor to execute with escalated privileges.
This enables privilege escalation and lateral movement within the system or network, especially in environments with multiple administrator users.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to execute arbitrary code with elevated privileges on the affected system.
An attacker could replace a legitimate installer file with a malicious backdoor, which is then executed during uninstallation with high privileges.
This can lead to privilege escalation, allowing the attacker to gain higher-level access than intended.
It also enables lateral movement within networks, especially in environments with multiple administrators, such as Active Directory domains.
An attacker could trick a domain administrator into uninstalling the compromised software, thereby hijacking their account and potentially compromising the entire network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the installer binary comeinst.exe dropping a setup.exe file into a user-writable temporary folder, which can be replaced by a malicious executable. Detection can focus on identifying unauthorized or suspicious setup.exe files in temporary directories such as C:\Users\<user>\AppData\Local\Temp\{random-UID}\Disk1\.
Commands to detect potential exploitation might include searching for unexpected setup.exe files in temporary folders and verifying their integrity or origin.
- Use PowerShell to find setup.exe files in temp directories: Get-ChildItem -Path $env:TEMP -Recurse -Filter setup.exe
- Check the digital signature or hash of setup.exe files to detect unauthorized modifications.
- Monitor uninstall events triggered via Windows Control Panel that execute setup.exe from the installation directory.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting write permissions on the temporary setup.exe file to NT Authority/System and Builtin/Administrators. This prevents even installing users from overwriting the setup.exe without elevated privileges.
Additional recommendations are to validate the integrity of setup.exe before copying it to the final installation directory and to write setup.exe directly to its destination folder to avoid the race condition that allows replacement.