External risk intelligence

VegaBird Yaazhini DLL Hijacking Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-45873

This vulnerability is a DLL hijacking issue requiring an attacker to place a malicious file in the local application directory. This is a client-side attack vector that relies on local file system access, which is not characteristic of public internet-facing services, network gateways, or externally reachable infrastructure.

Code Injection

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in VegaBird Yaazhini 2.0.2 that could allow attackers to execute arbitrary code by placing a malicious file in the application's directory. This flaw requires an attacker to have local file system access to exploit, making it less likely to affect externally reachable services.

  • Malicious file placement enables code execution.
  • Confirms relevance and potential exposure.
  • Focus on local access, not external threats.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by placing a malicious DLL file in the same directory as the vulnerable application's executable. This would allow them to trick the application into loading their crafted DLL instead of a legitimate one, leading to the execution of arbitrary code and the potential for persistent access to the system.

  • Requires attacker to place malicious DLL.
  • Vulnerable application loads crafted DLL.
  • Arbitrary code execution and persistence.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary code or maintain persistence on a system running VegaBird Yaazhini when a crafted DLL is placed in the same directory as the Yaazhini.exe executable. This scenario might occur if an attacker can trick a user into downloading and running the malicious DLL or if they gain the ability to write files to the application's directory.

  • System files could be compromised.
  • Malicious code could be executed.
  • Persistence may be established.

Operational Fix

Recommended remediation, mitigation, and detection steps

VegaBird Yaazhini 2.0.2's DLL hijacking vulnerability requires local file system access to exploit, making it a client-side attack vector. The first step is to confirm if this application is deployed and accessible within your environment, identify the accountable owner, and then assess the business criticality and potential exposure before planning remediation.

  • Application owners should own this issue.
  • Verify if VegaBird Yaazhini is deployed.
  • Plan remediation based on exposure risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is VegaBird Yaazhini?

VegaBird Yaazhini is a software application that includes an executable file, Yaazhini.exe. Like many Windows-based programs, it relies on Dynamic Link Library (DLL) files to perform specific functions. It is used by organizations for operational tasks, and its security depends on the integrity of the files located within its installation directory.

What does CWE-94 mean for CVE-2024-45873?

CWE-94 classifies this as an improper control of generation of code vulnerability. In the context of CVE-2024-45873, it means the application inadvertently trusts and executes code from an unauthorized source. Because the software does not properly verify the legitimacy of the DLL files it loads, an attacker can substitute a malicious file to run their own commands with the same privileges as the application.

How is this DLL hijacking triggered?

The vulnerability is triggered when a crafted DLL file is placed into the same folder as the application's executable. When the program starts, it automatically attempts to load the malicious file instead of the intended one. Importantly, this bug is not triggered by remote network traffic; it specifically requires someone or something to have the ability to write files to the local directory where the software is installed.

Why should I care about this if it is local?

According to Halo Surface Signal, this is considered very unlikely to affect internet-facing infrastructure because the attack depends on local file system access. You should care if you have users with administrative rights or other software that could be compromised to drop files onto the system, as this could allow an attacker to gain persistent control over the host running Yaazhini.

How do I respond to this vulnerability?

Start by auditing your systems to identify if VegaBird Yaazhini 2.0.2 is installed in your environment. Once identified, coordinate with the system owners to evaluate the risk of unauthorized local file access. Prioritize restricting write permissions to the application's installation directory to prevent untrusted files from being placed there, and monitor for any suspicious files appearing in that folder.

References