cbcvebase.
CVE-2021-3394
published 2021-02-09

CVE-2021-3394: Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.79%
92.2th percentile
Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.39.28.3342, and 13.39.146.1 has insecure folder permissions allowing a malicious user for a local privilege escalation.

Affected

3 ranges
VendorProductVersion rangeFixed in
millewinmillewin
millewinmillewin
millewinmillewin

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe
pathC:\Program Files (x86)\Millewin\GestioneTaskService.exe
pathC:\Program Files (x86)\Millewin\WatchDogService.exe
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MilleLiveUpdate
urlhttps://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
  • Monitor the registry run key 'MilleLiveUpdate' under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for unauthorized modifications to the value data pointing to MilleUpdater.exe, which executes at startup with SYSTEM privileges.
  • Alert on unexpected writes or file replacements under 'C:\Program Files (x86)\Millewin\' and 'C:\Program Files (x86)\Millewin\MilleUpdater\' by non-administrative (BUILTIN\Users / Everyone) accounts, as both directories grant full control (F) to these groups.
  • Detect process creation of GestioneTaskService.exe or WatchDogService.exe from unexpected parent processes or with anomalous hashes, as these services run as LocalSystem and their binaries can be replaced by low-privileged users.
  • Hunt for unquoted service path abuse against services 'MillewinTaskService' and 'PDSserver'; look for executable files planted in parent directories of the service binary paths (e.g., 'C:\Program Files (x86)\Millewin.exe') that Windows service control manager may resolve before the intended binary.
  • ·Affected versions are specifically 13.39.028, 13.39.28.3342, and 13.39.146.1; detections targeting file/registry paths are only relevant on hosts running these Millewin versions.
  • ·The vulnerability is exploitable only on Windows deployments of Millewin; the insecure ACLs grant BUILTIN\Users and Everyone full control (OI)(CI)(F) over the installation directory, which is the root condition enabling the privilege escalation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.