NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 contains a flaw where the runtime may use a low integrity level temporary directory when running under the SYSTEM account. If a malicious local user can force the internal function my_GetTempFileName to return zero, the installer can write files to that low IL directory and then execute them with SYSTEM privileges. This vulnerability is a classic path bypass weakness (CWE-427) that directly permits escalation of local privileges, potentially allowing an attacker to modify the system or install persistent malware. The impact is significant because SYSTEM access provides full control over the OS, enabling complete compromise of the affected machine.

The flaw affects Nullsoft’s Nullsoft Scriptable Install System from any vendor that distributes the OS‑level installer, including Windows clients and servers. The affected releases are NSIS 3.06.1 through 3.11.2; versions 3.12 and later incorporate the fix. No additional vendor or product variants are listed. If your environment uses NSIS 3.06.1‑3.11.x, you are potentially vulnerable.

The CVSS score of 7.8 indicates a high severity, with the EPSS score less than 1% suggesting a low probability of attackers actively exploiting this issue at present. The flaw is not listed in CISA’s KEV catalog, further indicating limited known exploitation. The vulnerability requires a local attacker to trigger a zero return from my_GetTempFileName, which implies some user privilege is necessary but could be achieved from a compromised user account. The attack path is local, leveraging the installer's behavior under SYSTEM and the low IL temp directory, and does not require network reachability or external code injection.