Exploitation for Priv-Esc × Stormshield Endpoint Security Evolution

A publicly-reported instance of Exploitation for Priv-Esc bypassing Stormshield Endpoint Security Evolution, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Stormshield Endpoint Security Evolution

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

High

Status

unknown

Disclosed

2023-06-27

Config / version noted

Yes

Provenance

cve.imfht.com
disclosed 2023-06-27 · original source · via exa
feedly.com
disclosed 2023-07-05 · original source · via exa
feedly.com
disclosed 2023-07-05 · original source · via exa

Reported as

insecure permissions, enabling an interactive user to instruct the agent to create arbitrary files with local system privileges

Mechanism

The SES Evolution agent runs with local system privileges and has insecure permissions, enabling an interactive user to instruct the agent to create arbitrary files anywhere on the system with those elevated privileges.

Detection & mitigation

Monitor for unexpected file creation events by the SES Evolution agent process (e.g., XDR agent) in sensitive directories (e.g., System32, startup folders) using EDR telemetry or file integrity monitoring. Mitigate by applying the vendor patch and enforcing least privilege to limit interactive user access.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.