Vulnerability Key Information Vulnerability Title Sonarr - Writable Binary Allows Local Low-Privilege Modification - Vulnerability Submission / CVE Report Affected Product Product: Sonarr Component/File: C:\ProgramData\Sonarr\bin\Sonarr.Console.exe (service binary) Observed Service: Sonarr service (status: running, startup type: automatic) Version: 4.0.15.2940 Vendor: Sonarr Project (upstream: radarr/sonarr; please confirm coordination with vendor for disclosure) Vulnerability Summary If the service binary or its parent folder grants write or modify permissions to non-privileged users (e.g., BUILTIN\Users), a local user can replace or modify the executable. If the Sonarr service runs under a high-privilege account (e.g., LocalSystem / NT AUTHORITY\SYSTEM), the modified binary may execute with elevated privileges upon service restart or system reboot. This creates a local privilege escalation path. Vulnerability Type and Category Type: Insecure File Permissions / Improper Access Control (Local File Write) Primary CWE: CWE-732 - Incorrect Assignment of Permissions to Critical Resources Other CWEs: CWE-276 - Incorrect Default Permissions; CWE-284 - Improper Access Control CVSS v3.1 (Recommended) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Score: 8.8 (High) - Local attack, low complexity, low privilege required; high impact if service runs under SYSTEM Reproduction Steps (Proof of Concept - Non-Operational Summary) 1. Rename the original Sonarr.Console.exe binary in the path C:\ProgramData\Sonarr\bin\ to any other name. 2. Save malicious code in C:\ProgramData\Sonarr\bin\ as Sonarr.Console.exe. 3. Observe the service start (or system reboot) and execution of the replaced binary, which runs with service account privileges, demonstrating the privilege escalation path. Impact A local user with write access to the binary can achieve SYSTEM-level code execution if the Sonarr service runs under SYSTEM and the modified binary is executed, resulting in full host compromise.