Vulnerabilities ›

CVE-2019-25288

High

Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in

CWE-428 — Weakness Type

                    Published: Feb 5, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots.

🤖 AI Executive Summary

CVE-2019-25288 is a local privilege escalation vulnerability in Wacom WTabletService 6.6.7-3 exploiting an unquoted service path, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges. While no public exploit exists, the vulnerability is trivial to exploit and affects any system running the vulnerable Wacom driver version. Organizations using Wacom tablets for design, engineering, or secure workstations face immediate risk of privilege escalation and lateral movement.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 03:07

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations in creative industries (advertising agencies, design firms), government CAD/engineering departments, healthcare PACS workstations, and financial institutions using Wacom tablets for signature capture are at risk. The vulnerability enables local privilege escalation on workstations, potentially compromising sensitive design data, engineering blueprints, medical imaging systems, and financial transaction systems. Government entities under NCA oversight and SAMA-regulated financial institutions face compliance violations if Wacom-equipped systems are compromised. The attack requires local access, limiting exposure but creating insider threat risks in shared workstation environments.

🏢 Affected Saudi Sectors

Creative Industries & Design Government & Public Administration Healthcare (PACS Workstations) Financial Services & Banking Engineering & Architecture Education & Research

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Unquoted Service Path T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys T1543.003 - Create or Modify System Process: Windows Service T1134.003 - Access Token Manipulation: Make and Impersonate Token T1053.005 - Scheduled Task/Job: Scheduled Task

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all systems running Wacom WTabletService versions 6.6.7-3 or earlier using asset inventory tools

2. Restrict local access to affected workstations; implement physical access controls

3. Monitor for suspicious process creation from WTabletService parent process



PATCHING:

1. Upgrade Wacom WTabletService to version 6.6.8 or later immediately

2. Verify patch installation: Check service path in Registry (HKLM\SYSTEM\CurrentControlSet\Services\WTabletService) for quoted paths

3. Restart WTabletService and reboot systems to ensure patch activation



COMPENSATING CONTROLS (if patching delayed):

1. Disable WTabletService if not actively required; use 'sc config WTabletService start= disabled'

2. Implement AppLocker/Windows Defender Application Control to prevent unauthorized executable execution in service paths

3. Apply file system ACLs to restrict write permissions on service directories (C:\Program Files\Wacom\)

4. Run workstations with standard user privileges; disable auto-elevation



DETECTION:

1. Monitor Event Viewer for Service Control Manager events (Event ID 7045) indicating service modifications

2. Alert on process creation with WTabletService as parent process

3. Monitor file system changes in Wacom installation directories using File Integrity Monitoring

4. Sysmon Rule: Monitor for CreateRemoteThread from WTabletService process

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات Wacom WTabletService 6.6.7-3 أو أقدم باستخدام أدوات جرد الأصول

2. تقييد الوصول المحلي إلى محطات العمل المتأثرة؛ تنفيذ عناصر التحكم في الوصول المادي

3. مراقبة إنشاء العمليات المريبة من عملية الوالد WTabletService

التصحيح:

1. ترقية Wacom WTabletService إلى الإصدار 6.6.8 أو أحدث على الفور

2. التحقق من تثبيت التصحيح: تحقق من مسار الخدمة في السجل (HKLM\SYSTEM\CurrentControlSet\Services\WTabletService) للمسارات المقتبسة

3. إعادة تشغيل WTabletService وإعادة تشغيل الأنظمة لضمان تفعيل التصحيح

عناصر التحكم التعويضية (إذا تأخر التصحيح):

1. تعطيل WTabletService إذا لم يكن مطلوبًا بنشاط؛ استخدم 'sc config WTabletService start= disabled'

2. تنفيذ AppLocker/Windows Defender Application Control لمنع تنفيذ الملفات القابلة للتنفيذ غير المصرح بها في مسارات الخدمة

3. تطبيق قوائم التحكم في الوصول لنظام الملفات لتقييد أذونات الكتابة في دلائل الخدمة (C:\Program Files\Wacom\)

4. تشغيل محطات العمل بامتيازات المستخدم القياسي؛ تعطيل الارتفاع التلقائي

الكشف:

1. مراقبة Event Viewer لأحداث Service Control Manager (معرّف الحدث 7045) التي تشير إلى تعديلات الخدمة

2. التنبيه عند إنشاء عملية مع WTabletService كعملية والد

3. مراقبة تغييرات نظام الملفات في دلائل تثبيت Wacom باستخدام مراقبة سلامة الملفات

4. قاعدة Sysmon: مراقبة CreateRemoteThread من عملية WTabletService

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures (privilege management) A.5.2.1 - User access management and privilege escalation controls A.5.3.1 - Access control implementation and monitoring A.6.1.1 - Cryptography and secure configuration of systems A.7.1.1 - Physical and environmental security controls

🔵 SAMA CSF

ID.AM-2 - Asset management and inventory of software PR.AC-1 - Access control policies and procedures PR.AC-4 - Access rights and privilege management DE.CM-1 - Detection and monitoring of unauthorized access RS.MI-1 - Incident response and containment

🟡 ISO 27001:2022

A.5.1.1 - Information security policies A.5.2.1 - Privileged access rights A.5.3.1 - Access control implementation A.6.1.1 - Cryptography and secure configuration A.8.1.1 - Asset management and inventory A.12.2.1 - Change management procedures A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

2.2.4 - Configure system security parameters to prevent misuse 6.2 - Ensure security patches are installed 8.1.4 - Remove/disable unnecessary user accounts 10.2.5 - Restrict access to audit trails

🔗 References & Sources 3

🔗

https://www.exploit-db.com/exploits/47593

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/wacom-wtabletservice-wtabletservicepro-unquoted-se...

disclosure@vulncheck.com

🔗

https://www.wacom.com

disclosure@vulncheck.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-428

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-02-05

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-428

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2019-25288

💬 Comments

Introduce Yourself

Sign In Required