CVE-2019-12574

Name of the Vulnerable Software and Affected Versions London Trust Media Private Internet Access (PIA) VPN Client version 1.0

Description A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The issue is related to a DLL injection vulnerability during the software update process, where the updater loads several libraries from a folder that authenticated users have write access to. This allows a low-privileged user to execute arbitrary code as SYSTEM.

Recommendations For London Trust Media Private Internet Access (PIA) VPN Client version 1.0, consider restricting access to the folder where the updater loads libraries to prevent low-privileged users from exploiting the DLL injection vulnerability. As a temporary workaround, consider disabling the software update process until a patch is available.