ABR-WIN-26-01
This advisory describes a possible process spoofing vulnerability in the Admin By Request Windows driver.
Notification
|
Metric |
Value |
|---|---|
|
Criticality: |
Medium |
|
Published: |
2026-03-09 |
|
CVE ID: |
TBD |
|
CWE: |
TBD |
|
ABR ID: |
ABR-WIN-26-01 |
Rating
|
Metric |
NVD Calculated Rating |
|---|---|
|
CVSS 3.1 Score |
TBD |
|
CVSS 3.1 Vector |
TBD |
This advisory is available in PDF format:
Considerations
Admin By Request’s internal assessment scores the risk to be medium based on the following:
-
Exploitation of the vulnerability requires an attacker to have access to the endpoint.
-
An attacker must have the ability to programmatically execute the exploit.
Description
A vulnerability allowing spoofing of a parent process under certain configuration conditions has been discovered in the driver included with the Admin By Request Windows client.
The vulnerability can be leveraged by listening for the elevation driver startup signal and then posing as the driver to elevate non-approved applications or processes.
In order for the vulnerability to be possible, Admin By Request must be configured to use authentication methods other than UAC.
Mitigation
The affected driver vulnerability has been resolved in Admin By Request 8.7. The updated driver has also been patched into all prior available versions of Admin By Request for Windows.
There are several options to mitigate the issue depending on preference:
-
Update Windows endpoints to Admin By Request 8.7.
-
Enable the Auto-update feature of Admin By Request.
-
Change Admin By Request authentication settings to “Authenticate”.
-
Re-download and re-install a prior version from the Admin By Request portal.
-
Utilize our driver updater utility to update the driver (no re-install required).
-
Manually update the driver file.
Please see Vulnerability Mitigation Guide for more details.
Acknowledgment
Mateusz Paszynski, ProDrive Technologies
Jefferey Hanssen, ProDrive Technologies