devolo dLAN Cockpit 4.3.1 Unquoted Service Path Privilege Escalation

Advisories

severity: high
date: January 7, 2026
Affecting: devolo dLAN Cockpit 4.3.1
CVE: CVE-2019-25231
CWE: CWE-428 Unquoted Search Path or Element
CVSS: 8.5
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
Devolo Vendor Homepage
Credit: Stefan Petrushevski
Description: devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot.