CVE-2023-35841

Published: May 14, 2024Modified: Sep 25, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: 22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de (Secondary)

Description

Exposed IOCTL with Insufficient Access Control in Phoenix WinFlash Driver on Windows allows Privilege Escalation which allows for modification of system firmware.This issue affects WinFlash Driver: before 4.5.0.0.

Affected (1)

Products: Phoenixtech: Winflash

Phoenixtech

1 product

Winflash

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phoenixtech Winflash	Before 4.5.0.0

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-782

Exposed IOCTL with Insufficient Access Control

The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

References (6)

https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

Source: 22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de

ExploitThird Party Advisory

https://jvn.jp/en/vu/JVNVU93886750/index.html

Source: 22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de

Third Party Advisory

https://phoenixtech.com/phoenix-security-notifications/cve-2023-35841/

Source: 22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de

Vendor Advisory

https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://jvn.jp/en/vu/JVNVU93886750/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.phoenix.com/security-notifications/cve-2023-35841/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.