CVE-2024-31498 Overview
CVE-2024-31498 is a privilege escalation vulnerability in Yubico YubiKey Manager GUI (ykman-gui) on Windows. Versions before 1.2.6 allow browser windows to launch with Administrator privileges when Microsoft Edge is not the default browser. The flaw is classified under CWE-269: Improper Privilege Management. An authenticated local user can leverage this behavior to execute web content in a highly privileged context. Yubico documented the issue in Yubico Security Advisory YSA-2024-01.
Critical Impact
A low-privileged Windows user running ykman-gui can trigger a browser window that inherits Administrator rights, providing a path to full system compromise.
Affected Products
- Yubico YubiKey Manager GUI (ykman-gui) on Windows, versions prior to 1.2.6
- Windows hosts where Microsoft Edge is not the configured default browser
- Endpoints where ykman-gui is launched with elevated privileges
Discovery Timeline
- 2024-04-04 - CVE-2024-31498 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-31498
Vulnerability Analysis
The YubiKey Manager GUI provides a graphical interface for configuring YubiKey hardware tokens on Windows. The application includes functionality that opens external URLs in the user's default browser. When ykman-gui runs with elevated rights and the default browser is not Microsoft Edge, the spawned browser process inherits the Administrator security context of the parent process.
The result is an Administrator-owned browser window rendering web content, executing JavaScript, downloading files, and writing to disk with full system privileges. Any subsequent navigation, extension activity, or file save operation occurs outside normal user-mode restrictions. The issue is tracked as CWE-269: Improper Privilege Management.
Root Cause
The root cause is the failure of ykman-gui to drop privileges or sanitize the security token before invoking the default browser through Windows shell APIs. Microsoft Edge mitigates this through its own integrity-level handling, which is why Edge users are not impacted. Other browsers accept the inherited token and launch as Administrator. This is a process-launch privilege management defect, not a memory-corruption issue.
Attack Vector
Exploitation requires the YubiKey Manager GUI to be running with Administrator rights, a common configuration when users manage FIDO2 or PIV credentials. The attacker triggers any in-application action that opens an external URL. The browser launches elevated and loads attacker-controlled or attacker-influenced content. From the elevated browser, an adversary can download and execute payloads, modify protected directories, or pivot to persistence mechanisms. Refer to the Yubico Security Advisory YSA-2024-01 for vendor technical details.
Detection Methods for CVE-2024-31498
Indicators of Compromise
- Browser processes (chrome.exe, firefox.exe, brave.exe) running at High or System integrity level with ykman-gui.exe as the parent process
- File writes by elevated browser processes to protected paths such as C:\Windows\System32 or C:\Program Files
- Unexpected child processes spawned from a browser that was launched by ykman-gui.exe
Detection Strategies
- Hunt for parent-child process relationships where ykman-gui.exe spawns a browser binary, then inspect the integrity level of the child
- Inventory installed versions of YubiKey Manager GUI across Windows endpoints and flag any release earlier than 1.2.6
- Monitor for elevated browser sessions writing to startup folders, scheduled task locations, or registry Run keys
Monitoring Recommendations
- Forward Windows Sysmon Event ID 1 (process creation) with integrity-level fields to a centralized log platform for correlation
- Alert on any process tree originating from ykman-gui.exe that includes a browser launching a secondary executable
- Track installations and upgrades of ykman-gui through software inventory tooling to confirm patch deployment
How to Mitigate CVE-2024-31498
Immediate Actions Required
- Upgrade YubiKey Manager GUI to version 1.2.6 or later on all Windows endpoints
- Audit which users and service accounts run ykman-gui with Administrator rights and remove unnecessary elevation
- Set Microsoft Edge as the default browser on systems where the patched version cannot be deployed immediately
Patch Information
Yubico released a fixed build in YubiKey Manager GUI version 1.2.6. Download the updated installer from the Yubico Security Advisory YSA-2024-01 page and deploy it through standard software management workflows. Validate the installation by confirming the version reported by ykman-gui matches 1.2.6 or higher.
Workarounds
- Run ykman-gui as a standard user rather than Administrator whenever possible
- Configure Microsoft Edge as the system default browser to avoid the elevated launch path in unpatched builds
- Restrict installation of the vulnerable GUI to administrative workstations isolated from general user activity
# Verify installed YubiKey Manager version on Windows (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*YubiKey Manager*" } |
Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
