A critical zero-day vulnerability has been discovered in Microsoft Sysinternals tools, posing a serious security threat to IT administrators and developers worldwide.
The vulnerability enables attackers to exploit DLL injection techniques to execute malicious code, putting systems at risk of compromise.
Despite being disclosed to Microsoft over 90 days ago, the issue remains unresolved, leaving users reliant on manual mitigations to safeguard their environments.
Microsoft Sysinternals is a widely used suite of tools designed for system analysis, troubleshooting, and malware investigation.
Popular utilities, such as Process Explorer, Autoruns, and Bginfo, are integral to system administrators for monitoring processes, configurations, and services.
However, unlike many Windows components that receive regular updates through the Windows Update infrastructure, Sysinternals tools require manual updates.
This lack of integration creates a significant window of risk when vulnerabilities, such as this one, are discovered.
Details of the Vulnerability
According to the Cyber Security News report, the vulnerability arises from how Sysinternals tools handle dynamic-link library (DLL) file loading.
These tools prioritize untrusted paths—such as the current working directory (CWD) or network paths—over safe, system-designated directories.
This allows attackers to stage malicious DLLs in the same location as a legitimate Sysinternals executable.
How the Exploit Works:
- Crafting a Malicious DLL: An attacker creates a DLL (e.g., cryptbase.dll or TextShaping.dll) embedded with malicious payloads.
- File Placement: The DLL is placed alongside a legitimate Sysinternals executable (e.g., Bginfo.exe).
- Execution: When the targeted application is executed, it loads the malicious DLL instead of the trusted one.
- Result: The attacker’s code runs with the user’s system privileges, potentially leading to full system compromise.
Real-World Application: Bginfo Trojan Deployment
One of the most glaring examples of exploitation involves the Bginfo tool, used in enterprise environments to display desktop system information.
In a simulated scenario, an attacker places a malicious DLL on a shared network directory. During system startup, a script executes Bginfo.exe directly from the network path.
The tool, in turn, loads the malicious DLL instead of the legitimate one, enabling the proliferation of malware like Trojans or backdoors across multiple systems. A technical writeup by the researcher cautions:
“If the network path contains a prepared DLL, each client can be automatically compromised during the startup process.”
The vulnerability was responsibly disclosed to Microsoft on October 28, 2024, in line with industry best practices.
However, Microsoft classified the issue as a “defense-in-depth” enhancement, meaning it does not consider the vulnerability a critical flaw but rather an issue to be addressed via secure usage practices.
Microsoft’s stance emphasizes running Sysinternals tools from local directories rather than network locations.
The researcher, however, argues this approach overlooks real-world scenarios where tools are executed directly from shared directories. As of February 2025, the vulnerability remains unpatched, exposing organizations to significant risk.
Sysinternals tools are indispensable for IT administration and malware analysis, yet this vulnerability highlights their inherent risks.
While trusted for identifying malicious behavior on systems, these tools now face scrutiny for enabling DLL injection attacks themselves. Until Microsoft addresses the issue, users must remain vigilant and proactive in securing their environments.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
