Highrobmen

**Name of the Vulnerable Software and Affected Versions** WiX Toolset versions prior to 4.0.4 **Description** The issue is related to the use of an unreliable path search in the WiX Toolset, which can be exploited through DLL redirection attacks. This allows an attacker to escalate privileges. The vulnerability impacts any installer built with the WiX installer framework. The .be TEMP folder is specifically vulnerable to these attacks. When the burn engine elevates, a malicious DLL can receive elevated privileges if placed in the correct location, such as the .be/<bundle>.Local folder. The exploitation involves monitoring the user's TEMP folder for changes and dropping a malicious DLL into this folder. **Recommendations** For versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the .be TEMP folder to minimize the risk of exploitation. Additionally, avoid using the `comctl32.dll` in the affected API endpoints until the issue is resolved. If running the bundle as a non-admin user, be aware that the user's TEMP folder is used, and monitor it for potential malicious activity.