Impact
PSEvents.exe, a background module in several Panda Security products, executes with SYSTEM privileges and automatically loads DLL files from a directory that is writable by non‑administrator users. The component fails to validate or restrict the path of DLLs it loads, which allows a local attacker to drop a malicious DLL into that directory. When PSEvents.exe loads the file, the attacker’s code runs with the full SYSTEM account, giving the attacker complete control over the affected machine. This flaw is a classic example of insecure DLL loading, mapping to CWE‑427, and results in total local privilege escalation.
Affected Systems
The vulnerability affects Panda Security’s Panda Antivirus Pro 2016, Panda Global Protection 2016, Panda Internet Security 2016, and Panda Small Business Protection, all versions up to 16.1.2. These products are widely deployed in both enterprise and small‑business environments and rely on the PSEvents.exe service for regular operations.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity issue, while the EPSS score of <1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires only local write access to the monitored DLL directory, meaning any user with local access—encompassing typical non‑administrator accounts—can perform the attack. Based on the description, the likely attack vector is a local file‑write that leads to DLL hijacking and execution as SYSTEM.
OpenCVE Enrichment
EUVD