CERT Warns of Privilege Escalation Vulnerability in Lakeside SysTrack (CVE-2025-6241)

The CERT Coordination Center (CERT/CC) has issued a Vulnerability Note detailing a critical privilege escalation flaw affecting SysTrack, a widely deployed endpoint monitoring tool developed by Lakeside Software. Tracked as CVE-2025-6241, the vulnerability allows attackers to execute arbitrary code with SYSTEM-level privileges, potentially compromising entire enterprise environments.

SysTrack is part of Lakeside’s digital employee experience platform, offering deep insights into endpoint health and user productivity. One of its core components, LsiAgent.exe, is designed to run at startup under the SYSTEM account, collecting telemetry and status data.

According to the report, LsiAgent.exe attempts to load a DLL named wfapi.dll from any location listed in the System PATH environment variable—a dangerous design choice if left unchecked.

“The program does not properly check which files or places from which it loads the DLL files, allowing an attacker to place a malicious DLL file… and gain code execution,” CERT/CC explains.

This kind of flaw is known as a DLL hijacking vulnerability, and in this case, it can lead to local privilege escalation (LPE).

The vulnerability can be exploited in two primary ways:

1. DLL Injection via PATH
   An attacker with write permissions to any directory in the system’s PATH variable can place a malicious wfapi.dll in that location. When LsiAgent.exe starts—either on system boot or user action—it will unknowingly load and execute the malicious DLL with SYSTEM privileges.
2. Bundled DLL Exploit
   Alternatively, an attacker can distribute a repackaged version of LsiAgent.exe alongside a malicious DLL. If a user runs the executable, the bundled DLL gets loaded, again granting full system access.

“The bundled DLL will be executed when the victim runs the supposedly safe LsiAgent.exe program,” CERT/CC states.

The potential consequences of this vulnerability are serious. Because the process runs with NT AUTHORITY\SYSTEM permissions and is signed by Lakeside Software, any malicious actions taken by the exploit appear to originate from a trusted source.

This opens the door to full system takeover, credential dumping, lateral movement, or ransomware deployment—especially in environments where SysTrack is used across hundreds or thousands of endpoints.

The vulnerability affects SysTrack version 10.05.0027, and has been patched in version 10.10.0.42 and higher. Lakeside Software has provided updated binaries that resolve the unsafe DLL loading behavior by implementing stricter path validation.

Related Posts:

• Warning: DLL Hijacking in Modern Malware Campaigns
• Beware of Search Results: Hackers Using Fake Websites to Spread Malware
• UNC1151 Exploits Roundcube Flaw in Spear Phishing Attack
• CVE-2024-6047 (CVSS 9.8): Urgent Security Risk for GeoVision Users

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy