Executive Summary

CVE-2025-63421 is a vulnerability in Filosoft Comerc.32 Commercial Invoicing version 16.0.0.3 that allows a local attacker to execute arbitrary code via the comeinst.exe installer file.

During installation, the installer drops a setup.exe file into a user-writable temporary folder. Because users have write permissions in this folder, an attacker can replace the legitimate setup.exe with a malicious backdoor executable before installation completes.

The installer does not verify the integrity of setup.exe before copying it to the final installation directory. This backdoor is triggered during the uninstall process, which elevates privileges via User Account Control (UAC), allowing the backdoor to execute with escalated privileges.

This enables privilege escalation and lateral movement within the system or network, especially in environments with multiple administrator users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code with elevated privileges on the affected system.

An attacker could replace a legitimate installer file with a malicious backdoor, which is then executed during uninstallation with high privileges.

This can lead to privilege escalation, allowing the attacker to gain higher-level access than intended.

It also enables lateral movement within networks, especially in environments with multiple administrators, such as Active Directory domains.

An attacker could trick a domain administrator into uninstalling the compromised software, thereby hijacking their account and potentially compromising the entire network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the installer binary comeinst.exe dropping a setup.exe file into a user-writable temporary folder, which can be replaced by a malicious executable. Detection can focus on identifying unauthorized or suspicious setup.exe files in temporary directories such as C:\Users\<user>\AppData\Local\Temp\{random-UID}\Disk1\.

Commands to detect potential exploitation might include searching for unexpected setup.exe files in temporary folders and verifying their integrity or origin.

• Use PowerShell to find setup.exe files in temp directories: Get-ChildItem -Path $env:TEMP -Recurse -Filter setup.exe
• Check the digital signature or hash of setup.exe files to detect unauthorized modifications.
• Monitor uninstall events triggered via Windows Control Panel that execute setup.exe from the installation directory.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting write permissions on the temporary setup.exe file to NT Authority/System and Builtin/Administrators. This prevents even installing users from overwriting the setup.exe without elevated privileges.

Additional recommendations are to validate the integrity of setup.exe before copying it to the final installation directory and to write setup.exe directly to its destination folder to avoid the race condition that allows replacement.

Useful 0 Not Useful 0