A potential security vulnerability in the Intel® Enpirion® Digital Power Configurator GUI software may allow escalation of privilege. Intel is not releasing updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for the Intel® Enpirion® Digital Power Configurator GUI software.
CVEID: CVE-2022-25999
Description: Uncontrolled search path element in the Intel® Enpirion® Digital Power Configurator GUI software, all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H****
Intel® Enpirion® Digital Power Configurator GUI software, all versions.
Intel has issued a Product Discontinuation notice for the Intel® Enpirion® Digital Power Configurator** **GUI software and recommends that users of the Intel® Enpirion® Digital Power Configurator GUI software uninstall it or discontinue use at their earliest convenience.
Possible Alternative Workarounds - Intel recommends creating the following directory on the system Intel® Enpirion® Digital Power Configurator is installed: C:\Qt\5.12.9\. And modifying the directory permissions to only allow the following permissions: “Read”, “List folder contents” and “Read & execute” to all users, and only allowing Administrators and trusted account full control.
Intel would like to thank Marius Gabriel Mihai for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.