CVE-2024-13960: Link Following Local Privilege Escalation Vulnerability in AVG TuneUp Version 23.4
First published: Fri May 09 2025(Updated: )
Link Following Local Privilege Escalation Vulnerability in TuneUp Service in AVG TuneUp Version 23.4 (build 15592) on Windows 10 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.
Credit: security@nortonlifelock.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| AVG TuneUp |
Remedy
Update to v24.1 31.7.2024 or newer.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-13960?
CVE-2024-13960 is classified as a high severity local privilege escalation vulnerability.
How do I fix CVE-2024-13960?
To mitigate CVE-2024-13960, update AVG TuneUp to the latest version provided by the vendor.
What software is affected by CVE-2024-13960?
CVE-2024-13960 affects AVG TuneUp Version 23.4 (build 15592) on Windows 10.
What attack method is used in CVE-2024-13960?
CVE-2024-13960 exploits a local privilege escalation vulnerability through symbolic links and a TOCTTOU (time-of-check to time-of-use) race condition.
Can CVE-2024-13960 be exploited remotely?
CVE-2024-13960 cannot be exploited remotely; it requires local access to the affected system.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/remedy
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/source
- agent/tags
- agent/event
- vendor/avg
- canonical/avg tuneup