Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.
Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.
In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.
The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation.
An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.
Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.