Description
Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.
Published: 2026-06-19
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ChromodoUpdater service in Comodo Chromodo Browser version 52.15.25.664 is configured with an unquoted service path. Because the service runs with SYSTEM privileges, a local attacker who can write to the service path directory can replace the executable with a malicious program. When the service is restarted or the system reboots, the malicious executable will run under SYSTEM rights, providing complete control over the affected machine.

Affected Systems

The affected product is Comodo Chromodo Browser, version 52.15.25.664. No other product or version information is provided in the CNA data. The flaw resides solely in the ChromodoUpdater component of this specific browser build.

Risk and Exploitability

Based on the description, the likely attack vector is local. The CVSS score of 8.5 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is not available, so the current exploit probability cannot be quantified. However, because the attack requires only local access to write to the service path, the risk of exploitation remains significant for users who have write permissions to that location or to the service registry settings. If an attacker succeeds, they can obtain SYSTEM privileges and potentially compromise the entire system.

Generated by OpenCVE AI on June 19, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Comodo Chromodo Browser to a version that corrects the unquoted service path in ChromodoUpdater.
  • If an update is not available, disable or delete the ChromodoUpdater service to prevent application of a malicious executable.
  • Restrict write permissions on the directory used by ChromodoUpdater and on its service configuration to prevent unauthorized replacement of the executable.
  • Patch the registry entry for the ChromodoUpdater service to quote the service path, directly addressing the CWE‑428 vulnerability.

Generated by OpenCVE AI on June 19, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Comodo
Comodo chromodo Browser
Vendors & Products Comodo
Comodo chromodo Browser

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. A local attacker can insert a malicious executable in the service path and execute arbitrary code with elevated privileges upon service restart or system reboot.
Title Comodo Chromodo Browser 52.15.25.664 Unquoted Service Path Privilege Escalation
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Comodo Chromodo Browser
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:15:20.655Z

Reserved: 2026-06-19T13:17:16.022Z

Link: CVE-2016-20088

cve-icon Vulnrichment

Updated: 2026-06-22T15:48:48.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:36:07Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element