Attackers Use SolarWinds Dameware Flaw to Escalate Privileges on Windows

A significant vulnerability in SolarWinds Dameware Mini Remote Control (MRC), a popular remote desktop management tool used by enterprises worldwide, was uncovered by security researchers.

The flaw, assigned CVE-2025-26396, allows attackers with local access and a low-privileged account to escalate their privileges to higher levels a technique commonly leveraged in post-exploitation phases of network intrusions.

The vulnerability stems from incorrect permissions set on the Dameware Mini Remote Control service, which could allow a local attacker to gain unauthorized access or execute code with elevated privileges.

This flaw, rated as high severity (CVSS 7.8), was responsibly disclosed by Alexander Pudwill in collaboration with Trend Micro Zero Day Initiative and has been addressed in the new Dameware 12.3.2 release.

Technical Analysis

The root cause of the issue lies in the permissions assigned to the Dameware MRC service files and directories during installation and updates.

Incorrect Access Control Lists (ACLs) could permit a non-administrative user to replace, modify, or execute processes with SYSTEM-level authority.

Attack Scenario

1. Local Access Required: The attacker must first obtain access to a Windows machine running Dameware MRC with a low-privileged account, such as a standard domain user.
2. Service Manipulation: Leveraging the misconfigured file or directory permissions, the attacker can overwrite or replace service binaries or configuration files.
3. Privilege Escalation: Upon service restart (manual or automatic), Windows launches the manipulated component with SYSTEM privileges, granting the attacker complete control over the machine.

Abusing Insecure Permissions

While specific exploit details are being withheld to protect customers, a typical method involves replacing the service executable with a malicious payload. On affected systems, an attacker could execute commands similar to:

powershell# Identify the Dameware service executable path
$service = Get-WmiObject -Class Win32_Service | Where-Object { $_.Name -eq "DamewareMiniRemoteControl" }
$exePath = $service.PathName

# Replace or modify the binary with attacker-controlled code (requires exploit of weak ACL)
Copy-Item "C:\attacker\payload.exe" $exePath -Force

# Restart the Dameware service to trigger the payload
Restart-Service -Name "DamewareMiniRemoteControl"

Patch Now: Upgrading to Dameware 12.3.2

SolarWinds has responded swiftly by releasing Dameware 12.3.2, which corrects the permissions issue and includes additional security library upgrades, such as updates to CodeJock Xtreme Toolkit Pro, zlib, the Chilkat API, and enhanced .NET dependencies. The patch also addresses several session stability and certificate management bugs identified in previous releases.

IT administrators are strongly advised to:

• Upgrade all Dameware instances to version 12.3.2 as soon as possible.
• Audit Windows server and workstation environments for signs of local privilege escalation.
• Restrict local accounts and monitor for unauthorized file changes in Dameware program directories.

The exploitation of CVE-2025-26396 demonstrates the continued importance of secure software configurations, timely patch management, and vigilant endpoint monitoring. As attackers increasingly seek privilege escalation paths in enterprise environments, rapid mitigation of such vulnerabilities is critical to defense-in-depth strategies.