Impact
Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation flaw in the DragonUpdater service caused by an unquoted service path that runs with SYSTEM privileges. A local attacker can place a malicious executable in the service path and trigger its execution by restarting the service or rebooting the system, allowing arbitrary code to run with elevated privileges. This weakness, classified as CWE‑428, enables a local actor to gain full control of the affected machine.
Affected Systems
Comodo Dragon Browser on Windows, versions up to 52.15.25.663. The DragonUpdater service runs as SYSTEM and the flaw is exploitable by users who have local write permission in the service’s directory. Based on the description, it is inferred that remote exploitation is not possible.
Risk and Exploitability
The CVSS score of 8.5 marks the vulnerability as high severity. The EPSS score is not available. Because the flaw requires local write access and the ability to restart the service or reboot the system, the attack vector is local only. Based on the description, it is inferred that remote exploitation is not possible. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. However, the attack is straightforward for a local user or insider, making it a high‑impact risk for any machine with the affected browser installed.
OpenCVE Enrichment