CVE-2024-47196 in ModelSim
Summary
by MITRE • 10/08/2024
A vulnerability has been identified in ModelSim (All versions < V2024.3), Questa (All versions < V2024.3). vsimk.exe in affected applications allows a specific tcl file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vsimk.exe from a user-writable directory.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/17/2025
This vulnerability exists in simulation software products from intel corporation including modelsim and questa versions prior to v2024.3. the flaw resides in the vsimk.exe executable which when launched from a user-writable directory can load a malicious tcl script file from the current working directory. this behavior represents a classic path traversal and code injection vulnerability that enables privilege escalation attacks. the vulnerability is particularly concerning because it requires only local authentication and can be exploited by attackers who have access to the system with standard user privileges. when processes with elevated privileges launch vsimk.exe from a directory controlled by an unprivileged user, the malicious tcl file gets executed with the elevated privileges of the launching process, creating a significant security risk. the attack vector leverages the principle of least privilege violation where a user-controlled file is executed with higher privileges than intended.
the technical implementation of this vulnerability follows the common pattern of insecure loading of dynamic libraries or script files. the vsimk.exe executable does not properly validate or sanitize the source of the tcl file it loads, allowing any tcl file present in the current working directory to be executed. this type of vulnerability maps directly to cwe-426 untrusted search path and cwe-74 injection flaws. the attack requires that the attacker place a malicious tcl file in a directory where the vulnerable executable will be launched, typically a directory that the user can write to. the vulnerability is classified as local privilege escalation because it allows an unprivileged user to execute code with elevated privileges when the vulnerable application is launched by a process with higher permissions. this scenario commonly occurs in development environments where users may need to run simulation tools from shared or user-accessible directories.
the operational impact of this vulnerability extends beyond simple code execution as it enables attackers to potentially gain complete system control when the vulnerable application runs with administrative privileges. an attacker could leverage this to install backdoors, modify system files, or extract sensitive data from the simulation environment. the vulnerability is particularly dangerous in enterprise development environments where simulation tools are frequently run by administrators or service accounts with elevated permissions. the attack requires minimal sophistication and can be automated, making it a preferred vector for persistent threats. organizations using these simulation tools in environments where user access is not properly restricted may find themselves vulnerable to privilege escalation attacks that could compromise entire development infrastructures.
mitigation strategies should focus on restricting directory permissions and implementing proper input validation for the vsimk.exe executable. organizations should ensure that the current working directory for the vulnerable applications is not writable by unprivileged users and that the applications are launched from secure, dedicated directories. the recommended approach includes implementing least privilege principles where simulation tools are run from restricted directories that cannot be modified by regular users. upgrading to version 2024.3 or later of the affected software products resolves this vulnerability by implementing proper validation of script file sources and ensuring that only trusted tcl files are loaded. additional protective measures include monitoring for suspicious file creation in directories where simulation tools are executed and implementing application whitelisting policies that restrict execution of unauthorized tcl scripts. the vulnerability demonstrates the importance of secure coding practices and proper privilege management in development tools that may be executed with elevated privileges in enterprise environments. organizations should also consider implementing security awareness training for developers who may inadvertently place malicious files in directories where sensitive applications are executed, as this represents a social engineering vector that can be exploited through human error.