LiveActive security incident?Get immediate response
CVE Record

CVE-2012-5379: Untrusted search path vulnerability in the installation functionality in ActivePython 3.2.2.3, when install...

Untrusted search path vulnerability in the installation functionality in ActivePython 3.2.2.3, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Python27 or C:\Python27\Scripts directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the ActivePython installation

HighCVSS 7.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This disputed CVE describes a conditional Windows privilege-escalation risk involving legacy ActivePython installation behavior and unsafe PATH configuration. If the setup exists, a local user might cause a privileged Windows service to load an attacker-controlled DLL. Urgency is targeted: verify legacy hosts rather than treating it as broad exposure.

Executive priority

Treat this as a legacy configuration audit item, not an emergency internet-facing vulnerability. Prioritize if old Windows servers still run unsupported Python tooling with broad local user access.

Technical view

The record describes untrusted search path behavior when ActivePython 3.2.2.3 is installed at top-level C:\ and C:\Python27 or C:\Python27\Scripts is later added to the system PATH by an administrator. A local user might place a Trojan DLL that a Windows service loads. CVE explicitly disputes the issue because that PATH change is not default installation behavior.

Likely exposure

Exposure appears limited to legacy Windows systems with the specific ActivePython setup and administrator-added PATH entries. The source bundle does not provide reliable affected CPEs or a vendor-supported product matrix.

Exploitation context

The CVSS vector indicates local access, low privileges, and required user interaction. The bundle does not show KEV listing or cited evidence of active exploitation. The scenario depends on a separate administrative PATH misconfiguration.

Researcher notes

The CVE is disputed, and the affected field in the provided bundle is n/a. The useful technical signal is the described unsafe PATH plus writable directory condition. Do not assume default ActivePython installation is vulnerable without confirming the separate admin PATH action.

Mitigation direction

  • Check vendor or archived ActivePython guidance for supported remediation.
  • Remove unsafe writable directories from system PATH where possible.
  • Avoid installing language runtimes directly under C:\ on Windows hosts.
  • Restrict write permissions on runtime and Scripts directories.
  • Prioritize decommissioning unsupported ActivePython 3.2.2.3 installations.

Validation and detection

  • Inventory Windows hosts for ActivePython 3.2.2.3 installations.
  • Check whether C:\Python27 or C:\Python27\Scripts appears in system PATH.
  • Verify directory permissions prevent local users from writing DLLs.
  • Review service DLL search exposure only on matching legacy systems.
  • Document exceptions where vendor guidance is unavailable.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2012-5379 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.3CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H1.35.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

7.3High
CVSS 3.1 vector shape for CVE-2012-5379Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.