Description
Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ChromodoUpdater service in Comodo Chromodo Browser version 52.15.25.664 is configured with an unquoted service path. Because the service runs with SYSTEM privileges, a local attacker who can write to the service path directory can replace the executable with a malicious program. When the service is restarted or the system reboots, the malicious executable will run under SYSTEM rights, providing complete control over the affected machine.

Affected Systems

The affected product is Comodo Chromodo Browser, version 52.15.25.664. No other product or version information is provided in the CNA data. The flaw resides solely in the ChromodoUpdater component of this specific browser build.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is not available, so the current exploit probability cannot be quantified. However, because the attack requires only local access to write to the service path, the risk of exploitation remains significant for users who have write permissions to that location or to the service registry settings. If an attacker succeeds, they can obtain SYSTEM privileges and potentially compromise the entire system. The attack vector is local; network or remote access is not required.

Generated by OpenCVE AI on June 19, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Comodo Chromodo Browser to a version that corrects the unquoted service path in ChromodoUpdater.
  • If an update is not available, disable or delete the ChromodoUpdater service to prevent application of a malicious executable.
  • Restrict write permissions on the directory used by ChromodoUpdater and on its service configuration to prevent unauthorized replacement of the executable; ensure the service path is quoted.

Generated by OpenCVE AI on June 19, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.
Title Comodo Chromodo Browser 52.15.25.664 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:43.150Z

Reserved: 2026-06-19T13:17:16.022Z

Link: CVE-2016-20088

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:12Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element