📄 Description (English)
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
🤖 AI Executive Summary
Rufus versions 4.11 and below contain a critical race condition (TOCTOU) vulnerability in PowerShell script handling that allows local attackers to achieve arbitrary code execution with Administrator privileges. The vulnerability exists because Rufus writes scripts to the world-writable %TEMP% directory without file locking, enabling attackers to replace legitimate scripts before execution. This is particularly dangerous in Saudi organizations where Rufus is commonly used for system deployment and USB bootable media creation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 5, 2026 16:50
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies (NCA, NCSC), banking sector (SAMA-regulated institutions, major banks), healthcare organizations, and energy sector (ARAMCO, utilities). Government IT departments and system administrators frequently use Rufus for mass deployment of Windows systems and security updates. Compromised systems could lead to unauthorized access to sensitive government networks, financial systems, and critical infrastructure. The vulnerability is particularly dangerous in shared IT environments and during system provisioning phases common in Saudi enterprises.
🏢 Affected Saudi Sectors
Government (NCA, NCSC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated institutions)
Healthcare (MOH, private hospitals)
Energy and Utilities (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Education (Universities, Technical Institutes)
Defense and Military
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1036.005 - Masquerading: Match Legitimate Name or Location
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1059.001 - Command and Scripting Interpreter: PowerShell
T1574.008 - Hijacking Execution Flow: Search Order Hijacking
T1566.002 - Phishing: Spearphishing Link
T1204.002 - User Execution: Malicious File
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade Rufus to version 4.12_BETA or later immediately
2. Audit all systems where Rufus 4.11 or below has been used in the past 6 months
3. Review Windows Event Logs for suspicious PowerShell execution and file modifications in %TEMP% directory
4. Check for unauthorized Administrator-level processes spawned from %TEMP% location
PATCHING GUIDANCE:
1. Deploy Rufus 4.12_BETA or newer across all endpoints via SCCM/Intune
2. Verify patch installation: Check Rufus version in Control Panel > Programs and Features
3. Test patched version in isolated environment before full deployment
COMPENSATING CONTROLS (if immediate patching delayed):
1. Restrict Rufus execution to designated administrative accounts only
2. Implement AppLocker rules to prevent execution of PowerShell scripts from %TEMP%
3. Enable Windows Defender Application Guard for Rufus execution
4. Monitor %TEMP% directory for unauthorized file modifications using File Integrity Monitoring (FIM)
5. Disable Fido functionality in Rufus if not required
DETECTION RULES:
1. Monitor for PowerShell processes spawned from %TEMP% or %APPDATA%\Temp
2. Alert on file modifications in %TEMP% during Rufus execution
3. Track Administrator-level process creation from temporary directories
4. Monitor for Rufus.exe writing to %TEMP% followed by PowerShell.exe execution within 5 seconds
5. Implement Sysmon rules: Event ID 11 (FileCreate) and Event ID 1 (ProcessCreate) correlation
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية Rufus إلى الإصدار 4.12_BETA أو أحدث فوراً
2. تدقيق جميع الأنظمة التي تم استخدام Rufus 4.11 أو أقل عليها خلال الستة أشهر الماضية
3. مراجعة سجلات أحداث Windows للتنفيذ المريب لـ PowerShell وتعديلات الملفات في مجلد %TEMP%
4. التحقق من العمليات غير المصرح بها على مستوى المسؤول التي تم إطلاقها من موقع %TEMP%
إرشادات التصحيح:
1. نشر Rufus 4.12_BETA أو أحدث عبر جميع نقاط النهاية عبر SCCM/Intune
2. التحقق من تثبيت التصحيح: تحقق من إصدار Rufus في لوحة التحكم > البرامج والميزات
3. اختبار الإصدار المصحح في بيئة معزولة قبل النشر الكامل
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تقييد تنفيذ Rufus على حسابات إدارية معينة فقط
2. تنفيذ قواعد AppLocker لمنع تنفيذ سكريبتات PowerShell من %TEMP%
3. تفعيل Windows Defender Application Guard لتنفيذ Rufus
4. مراقبة مجلد %TEMP% للتعديلات غير المصرح بها باستخدام مراقبة سلامة الملفات (FIM)
5. تعطيل وظيفة Fido في Rufus إذا لم تكن مطلوبة
قواعد الكشف:
1. مراقبة عمليات PowerShell التي يتم إطلاقها من %TEMP% أو %APPDATA%\Temp
2. التنبيه على تعديلات الملفات في %TEMP% أثناء تنفيذ Rufus
3. تتبع إنشاء العمليات على مستوى المسؤول من الدلائل المؤقتة
4. مراقبة Rufus.exe الكتابة إلى %TEMP% متبوعة بتنفيذ PowerShell.exe خلال 5 ثوان
5. تنفيذ قواعد Sysmon: ارتباط معرف الحدث 11 (FileCreate) ومعرف الحدث 1 (ProcessCreate)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.8.1.1 - Asset Inventory and Ownership
ECC 2024 A.8.2.1 - Information Classification
ECC 2024 A.12.2.1 - Change Management
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Physical and Cyber Assets
SAMA CSF ID.GV-1 - Organizational Context
SAMA CSF PR.IP-1 - Security Policy and Processes
SAMA CSF PR.IP-12 - Software, Firmware, and Information Integrity
SAMA CSF DE.CM-8 - Vulnerability Scans
SAMA CSF RS.MI-2 - Incident Response and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Organization of Information Security
ISO 27001:2022 A.8.1 - Asset Management
ISO 27001:2022 A.12.2 - Software Development and Change Management
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
ISO 27001:2022 A.14.2 - Information Security Requirements Analysis and Specification
🟣 PCI DSS v4.0.1
PCI DSS 2.4 - Document and Implement Security Configuration Standards
PCI DSS 6.2 - Ensure Security Patches are Installed
PCI DSS 11.2 - Run Automated Vulnerability Scanning Tools
🔗 References & Sources 3
🔗
https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873
security-advisories@github.com
Patch
🔗
https://github.com/pbatard/rufus/releases/tag/v4.12_BETA
security-advisories@github.com
Broken Link
🔗
https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9
security-advisories@github.com
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
akeo:rufus