Scroll Top

Atera Windows installers patched after critical Zero-Day vulnerabilities exposed users to privilege escalation attacks


In a recent security revelation, critical zero-day vulnerabilities were uncovered in the Windows Installers for the Atera remote monitoring and management software, leaving users susceptible to potential privilege escalation attacks. The flaws, brought to light by Mandiant on February 28, 2023, could have acted as a springboard for attackers to gain elevated privileges on affected systems.

The two vulnerabilities, identified as CVE-2023-26077 and CVE-2023-26078, were promptly addressed by Atera, leading to the release of remediated versions and on April 17, 2023, and June 26, 2023, respectively. Security researcher Andrew Oliveau raised concerns about the potential risks associated with the ability to initiate operations from the NT AUTHORITY\SYSTEM context, as misconfigured Custom Actions running as such can be exploited by malicious actors to execute local privilege escalation attacks.

The root of the vulnerabilities lies in the MSI installer’s repair functionality, which could result in operations being triggered from an NT AUTHORITY\SYSTEM context, even if initiated by a standard user. Exploiting these weaknesses could allow attackers to execute arbitrary code with elevated privileges, significantly compromising the security of affected systems.

Mandiant, a threat intelligence firm owned by Google, disclosed the specific details of the flaws. CVE-2023-26077, which can be leveraged through DLL hijacking, exposes the Atera Agent to a local privilege escalation attack, potentially providing attackers with access to the NT AUTHORITY\SYSTEM user’s Command Prompt. On the other hand, CVE-2023-26078 involves the execution of system commands that activate the Windows Console Host (conhost.exe) as a child process, creating an opening for attackers to execute a command window with elevated privileges and initiate a local privilege escalation attack.

Andrew Oliveau emphasized the importance of developers carefully reviewing their Custom Actions to prevent attackers from hijacking NT AUTHORITY\SYSTEM operations triggered by MSI repairs. Misconfigured Custom Actions can be easily exploited by threat actors, presenting significant security risks for organizations.

The revelation of these vulnerabilities comes in the wake of another severe privilege escalation flaw in Windows (CVE-2023-23397, CVSS score: 9.8), which has already been fixed by Microsoft but was actively exploited by Russian nation-state groups since April 2022. Kaspersky recently uncovered evidence indicating real-world exploit attempts by an unknown attacker targeting government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month before the public disclosure.

The discovery of critical zero-day vulnerabilities in Atera’s Windows Installers underscores the importance of continuous security vigilance and prompt remediation to protect users from potential exploits. Users of Atera’s remote monitoring and management software are strongly urged to update their installations to the latest patched versions ( and to mitigate the risks posed by these vulnerabilities and ensure the safety and integrity of their systems. urges all users and organizations to remain vigilant and keep their software up-to-date to safeguard against emerging threats and security vulnerabilities. Collaborative efforts between software developers, security researchers, and users play a crucial role in maintaining a secure digital landscape for all.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.