CVE-2018-19113 in PNHM
Summary
by MITRE
The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/14/2025
The CVE-2018-19113 vulnerability affects the Pronestor PNHM add-in version 8.1.13.0 and earlier for Microsoft Outlook, representing a critical privilege escalation flaw that stems from improper file permissions within the application's installation directory. This vulnerability specifically targets the PronestorHealthMonitor.exe executable file located in the Program Files directory, where the security descriptor grants broad permissions to the BUILTIN\Users group. The flaw manifests as a misconfiguration in the file system access control list that allows any local user to manipulate the executable file through a Trojan horse attack vector. The vulnerability is classified as a privilege escalation issue under CWE-264, which specifically addresses permissions, privileges, and access controls in software systems. The presence of "BUILTIN\Users:(I)(F)" permissions indicates that all users have full control over the executable, including the ability to modify, delete, and execute the file with elevated privileges. This represents a fundamental breakdown in the principle of least privilege that is essential for maintaining system security boundaries. The vulnerability aligns with ATT&CK technique T1068, which covers privilege escalation through local exploitation methods, and more specifically targets the execution of malicious code with elevated privileges through file system manipulation.
The operational impact of this vulnerability is severe as it enables local attackers to gain elevated privileges on the target system through a straightforward Trojan horse attack. An attacker with local access can simply replace the legitimate PronestorHealthMonitor.exe file with a malicious executable that maintains the same name and location, thereby allowing the malicious code to execute with the privileges of the target user. This creates a persistent threat vector that can be leveraged for further exploitation, including lateral movement within the network, data exfiltration, or establishment of backdoors. The vulnerability is particularly concerning because it affects the Outlook add-in environment, which typically runs with elevated privileges due to the nature of email client extensions. The attack requires minimal sophistication as it relies on simple file replacement rather than complex exploitation techniques, making it highly accessible to attackers with basic technical skills. The implications extend beyond immediate privilege escalation, as the malicious executable could potentially be designed to maintain persistence, harvest credentials, or establish communication channels with command and control servers. This vulnerability undermines the security model of the Outlook environment and represents a failure in the application's security hardening practices.
Mitigation strategies for CVE-2018-19113 should focus on immediate remediation through the installation of the patched version 8.1.13.0 or later, which resolves the improper file permissions issue. System administrators should conduct immediate audits of the affected installation directory to verify that the correct permissions are in place and that no malicious files have been introduced. The recommended permissions should restrict write access to the executable file to only authorized system accounts or administrators, eliminating the broad BUILTIN\Users permissions that enable the attack vector. Organizations should implement proper software supply chain security measures to prevent unauthorized modifications to critical system files, including file integrity monitoring and application whitelisting solutions. The vulnerability demonstrates the importance of proper access control implementation and the necessity of adhering to security best practices such as the principle of least privilege. Additional defensive measures include regular security assessments of third-party applications, implementation of endpoint protection solutions that can detect unauthorized file modifications, and network monitoring to identify potential malicious activities resulting from privilege escalation. The remediation process should also include user education about the risks of local privilege escalation attacks and the importance of maintaining secure file system permissions. Security teams should consider implementing automated patch management processes to ensure timely deployment of security updates and prevent similar vulnerabilities from remaining unaddressed in the future.