Sandboxie-Plus versions 1.17.2 and earlier contain an INI injection flaw that permits a standard local user to bypass configuration restrictions such as EditAdminOnly and ConfigPassword, thereby injecting arbitrary directives into the global Sandboxie.ini file. The vulnerability is triggered through non‑sanitized CRLF characters in both the value and setting name parameters handled by the background service. By creating a new sandbox section header with unrestricted permissions, an attacker can escape the sandbox and obtain SYSTEM privileges. The weakness manifests as a configuration injection (CWE‑93) that directly compromises the integrity of the sandbox isolation mechanism.

Affected products include the Sandboxie-Plus application known as Sandboxie. Any installation running version 1.17.2 or earlier is vulnerable. The issue was fixed in the subsequent release, version 1.17.3, which removes the privilege escalation vector and enforces proper authorization checks.

The CVSS score of 9.3 signals a critical risk level. Although an EPSS score is not available, the lack of listing in the CISA KEV catalog does not diminish the potential impact. The attack vector is local: a non‑administrator account can exploit the INI injection through normal user privileges and elevate itself to SYSTEM by manipulating the configuration file carried by the privileged background service. Due to the high severity and the straightforward local exploitation path, this vulnerability poses a significant threat to Windows systems running the affected version of Sandboxie-Plus.