CVE-2025-67813 Overview
Quest KACE Desktop Authority through version 11.3.1 contains an Insecure Permissions vulnerability (CWE-276) affecting the Named Pipes used for inter-process communication. This flaw allows local attackers with low privileges to potentially manipulate IPC communications between Desktop Authority components, leading to unauthorized access to sensitive data or system manipulation.
Critical Impact
Local attackers can exploit insecure Named Pipe permissions to intercept or manipulate inter-process communications, potentially gaining unauthorized access to sensitive configuration data or escalating privileges within the Desktop Authority environment.
Affected Products
- Quest KACE Desktop Authority through version 11.3.1
Discovery Timeline
- 2026-01-12 - CVE-2025-67813 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-67813
Vulnerability Analysis
This vulnerability stems from improper access control configuration on Named Pipes utilized by Quest KACE Desktop Authority for inter-process communication (IPC). Named Pipes are a Windows mechanism that enables processes to communicate with each other, and when configured with overly permissive access controls, they can be accessed by unauthorized local users.
The insecure permissions allow any authenticated local user to connect to and potentially interact with the Named Pipes used by Desktop Authority services. This could enable an attacker to read sensitive data being transmitted between processes, inject malicious commands, or interfere with the normal operation of the software.
Root Cause
The root cause of CVE-2025-67813 is the assignment of incorrect or overly permissive Discretionary Access Control Lists (DACLs) on the Named Pipe objects created by Quest KACE Desktop Authority. CWE-276 (Incorrect Default Permissions) indicates that the software fails to properly restrict access to these IPC channels, violating the principle of least privilege.
When Named Pipes are created without explicit security descriptors or with weak default permissions, any local user may be able to open handles to these pipes, enabling unauthorized interaction with privileged processes.
Attack Vector
The attack requires local access to the system where Quest KACE Desktop Authority is installed. An attacker with low-level user privileges can enumerate Named Pipes on the system and identify those created by Desktop Authority services. Once identified, the attacker can:
- Connect to the Named Pipe as a client to read or write data
- Impersonate or intercept communications between Desktop Authority components
- Potentially inject malicious payloads or commands into the IPC stream
- Gather sensitive configuration or credential information transmitted through the pipe
The attack does not require user interaction and can be executed with minimal complexity once local access is obtained. The vulnerability affects confidentiality, integrity, and availability of the affected system, though the scope remains unchanged (local impact only).
Detection Methods for CVE-2025-67813
Indicators of Compromise
- Unusual Named Pipe connections from non-Desktop Authority processes
- Unexpected user accounts accessing Desktop Authority Named Pipes
- Anomalous IPC traffic patterns or data volumes between system processes
- Process injection or handle duplication events targeting Desktop Authority services
Detection Strategies
- Monitor Windows Security Event logs for Named Pipe access events (Event ID 5145 for detailed file share access)
- Use endpoint detection tools to track process interactions with Desktop Authority Named Pipes
- Implement file system auditing on Named Pipe objects to detect unauthorized access attempts
- Deploy behavioral analysis to identify suspicious IPC patterns from low-privilege processes
Monitoring Recommendations
- Enable advanced auditing for object access on Windows systems running Desktop Authority
- Configure SentinelOne to monitor for suspicious Named Pipe enumeration and access patterns
- Establish baseline behavior for Desktop Authority IPC communications to detect anomalies
- Review access control lists on Named Pipes periodically to ensure proper restrictions
How to Mitigate CVE-2025-67813
Immediate Actions Required
- Review and inventory all systems running Quest KACE Desktop Authority versions through 11.3.1
- Restrict local access to affected systems to trusted administrators only
- Apply vendor patches or updates when available from Quest
- Implement network segmentation to limit lateral movement potential from compromised systems
Patch Information
Quest has released a security advisory addressing this vulnerability. Administrators should consult the Quest Security Advisory CVE-2025-67813 for the latest patch information and upgrade instructions. It is strongly recommended to update to a patched version of Desktop Authority as soon as available.
Workarounds
- Implement strict access controls on local user accounts to minimize the attack surface
- Use Windows Security Policy to restrict Named Pipe access to authorized service accounts only
- Deploy application whitelisting to prevent unauthorized processes from interacting with Desktop Authority pipes
- Consider temporarily disabling non-essential Desktop Authority features that rely on Named Pipe IPC until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
