[Non-public] Privilege escalation vulnerability in Safetica Client for Windows (on-premises only)

✍️Applies to: Devices running Safetica Client for Windows (Safetica on-premises only)

Vulnerability overview

Safetica identified a local privilege escalation vulnerability in Safetica Client for Windows that can be exploited by manipulating the OpenSSL configuration file (openssl.cnf).

Severity (CVSS score): 7.8
Exploitability: local only (cannot be exploited remotely)
Affected deployments: Safetica On-Prem only
Cloud-hosted Safetica: Not affected

What an attacker could achieve

If a non-admin user is able to manipulate openssl.cnf in the affected environment, they may be able to escalate privileges locally on the device.

✅ Recommended remediation

We strongly recommend updating to one of the fixed Safetica versions as soon as possible, preferably to the latest Cumulative release.

Temporary mitigation for environments where updating is not possible

✍️When to use this workaround: You are currently unable to update to a fixed Safetica version.

If updating to one of the fixed Safetica versions is currently not possible, you can apply a temporary workaround to reduce the risk of exploitation related to OpenSSL configuration file manipulation (openssl.cnf).

What the workaround does

Safetica provides a batch script that must be executed with administrative privileges on all devices running the Safetica Client for Windows (Safetica on-premises only). The script:

Creates a folder C:\TFS-Git.
Removes access rights for non-administrative users to that folder.

This prevents non-admin users from exploiting the issue through manipulation of the OpenSSL configuration file (openssl.cnf).

❗This workaround is a temporary mitigation and does not replace updating to a fixed version.

Workaround prerequisites

Download the Safetica-provided batch script here.
Local administrator rights on devices (for manual execution) or a central management mechanism that runs scripts with elevated privileges (for remote execution).

Workaround procedure

Option 1: Run locally on a device (manual)

Obtain the batch script provided by Safetica.
Copy the script to the device.
Right-click the script and select Run as administrator.

Option 2: Deploy remotely (recommended for centrally managed environments)

For centrally managed environments, we recommend executing the script remotely, for example via Group Policy (GPO) or another endpoint management solution.

Next steps

Plan and perform an update to one of the fixed Safetica versions when feasible.
Keep this workaround in place only as long as needed to bridge the update gap.

✍️If you have questions or require assistance, contact Safetica Support at support@safetica.com

Affected and fixed Safetica versions

Safetica	Affected versions	Fixed from version
Safetica 11 – Cumulative release	< 11.26.19	11.26.19 and newer
Safetica 11 – Feature release	< 11.29.8	11.29.8 and newer
Safetica 10	< 10.5.150	10.5.150 and newer

The fix is already available in the following Safetica versions.

There are two options for updating:

We recommend updating via the XML. Learn how to perform the update here.

To update via the Universal Installer, run the installer, select Manual installation, and choose to install Safetica Management Service.

✅ Recommended: Cumulative release 11.26.19

Updater: https://update.safetica.com/updater/ses_update_11.26.19_nxefhf.xml

Installer: https://setup.safetica.com/s11/11.26.19/nxefhf/safetica_11.26.19.exe

If you are using a Feature release - Update to 11.29.8

Updater: https://update.safetica.com/updater/ses_update_11.29.8_semhiu.xml

Installer: https://setup.safetica.com/s11/11.29.8/semhiu/safetica_11.29.8.exe

If you are still using Safetica 10.5.x - Update to 10.5.150:

Updater: https://update.safetica.com/updater/ses_update_10.5.150_uuttia.xml

Installer: https://setup.safetica.com/s10/10.5.150/uuttia/safetica_10.5.150.exe