CVE-2025-5480: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

7.8 CVSS

Description

Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26767.

Classification

CVE ID: CVE-2025-5480

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-427: Uncontrolled Search Path Element

Affected Products

Vendor: Action1

Product: Action1

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.61% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5480
https://www.zerodayinitiative.com/advisories/ZDI-25-323/
https://www.action1.com/blog/acknowledging-zdi-can-26767-high-severity-vulnerability-in-action1-agent/

Timeline

2025-06-03 21:45:27 UTC
Zero Day Initiative Published Advisories

ZDI-25-323: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
2025-06-06 19:40:22 UTC
CVE

Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability