📄 الوصف (الإنجليزية)
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.
🤖 ملخص AI
Claude Code versions prior to 2.1.75 on Windows contain a privilege escalation vulnerability (CVE-2026-35603) where low-privileged users can create malicious configuration files in the ProgramData directory that are automatically loaded by other users. This affects shared multi-user Windows systems commonly found in Saudi corporate environments. The vulnerability requires local access and user interaction but could enable unauthorized code execution with elevated privileges.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 5, 2026 22:17
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily impacts Saudi organizations with shared development workstations, particularly in: (1) Technology and software development companies using Claude Code for AI-assisted development; (2) Government IT departments and research institutions utilizing Claude Code on shared systems; (3) Financial services firms (SAMA-regulated banks) with development teams; (4) Telecommunications companies (STC, Mobily) with shared development infrastructure; (5) Energy sector (ARAMCO, SABIC) research and development teams. The risk is elevated in organizations with inadequate endpoint security controls and multi-user Windows systems common in Saudi corporate environments.
🏢 القطاعات السعودية المتأثرة
Technology and Software Development
Government and Public Administration
Banking and Financial Services
Telecommunications
Energy and Utilities
Research and Development
Higher Education
🎯 تقنيات MITRE ATT&CK
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.014 - Boot or Logon Autostart Execution: Active Setup
T1574.010 - Hijack Execution Flow: Services Registry Permissions Weakness
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1547.010 - Boot or Logon Autostart Execution: Port Monitors
T1543.001 - Create or Modify System Process: Windows Service
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
⚖️ درجة المخاطر السعودية (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Claude Code installations across the organization using endpoint detection tools
2. Audit C:\ProgramData\ClaudeCode directory permissions on all Windows systems
3. Review access logs for unauthorized configuration file creation
4. Isolate affected shared systems if suspicious configuration files are detected
Patching Guidance:
1. Upgrade Claude Code to version 2.1.75 or later immediately on all systems
2. Implement automated patch management for Claude Code updates
3. Restrict ProgramData directory permissions to prevent non-administrative users from creating subdirectories
4. Pre-create C:\ProgramData\ClaudeCode with restricted permissions (Administrators only)
Compensating Controls (if immediate patching not possible):
1. Disable Claude Code on shared multi-user systems until patched
2. Implement application whitelisting to prevent unauthorized Claude Code execution
3. Monitor ProgramData directory for unauthorized file creation using File Integrity Monitoring (FIM)
4. Restrict local user account privileges where possible
5. Implement Windows AppLocker policies to control Claude Code execution
Detection Rules:
1. Monitor for file creation in C:\ProgramData\ClaudeCode by non-administrative users
2. Alert on modifications to managed-settings.json outside of official Claude Code updates
3. Track Claude Code process execution with suspicious parent processes
4. Monitor for privilege escalation attempts following Claude Code execution
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات Claude Code عبر المنظمة باستخدام أدوات كشف نقاط النهاية
2. تدقيق أذونات مجلد C:\ProgramData\ClaudeCode على جميع أنظمة Windows
3. مراجعة سجلات الوصول لإنشاء ملفات إعدادات غير مصرح بها
4. عزل الأنظمة المشتركة المتأثرة إذا تم اكتشاف ملفات إعدادات مريبة
إرشادات التصحيح:
1. ترقية Claude Code إلى الإصدار 2.1.75 أو أحدث فوراً على جميع الأنظمة
2. تنفيذ إدارة التصحيحات الآلية لتحديثات Claude Code
3. تقييد أذونات مجلد ProgramData لمنع المستخدمين غير الإداريين من إنشاء مجلدات فرعية
4. إنشاء مسبق لـ C:\ProgramData\ClaudeCode بأذونات مقيدة (المسؤولون فقط)
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل Claude Code على الأنظمة المشتركة متعددة المستخدمين حتى يتم تصحيحها
2. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ Claude Code غير المصرح به
3. مراقبة مجلد ProgramData للكشف عن إنشاء ملفات غير مصرح بها باستخدام مراقبة سلامة الملفات
4. تقييد امتيازات حسابات المستخدمين المحليين حيثما أمكن
5. تنفيذ سياسات Windows AppLocker للتحكم في تنفيذ Claude Code
قواعد الكشف:
1. مراقبة إنشاء الملفات في C:\ProgramData\ClaudeCode من قبل المستخدمين غير الإداريين
2. التنبيه على التعديلات على managed-settings.json خارج تحديثات Claude Code الرسمية
3. تتبع تنفيذ عملية Claude Code مع العمليات الأب المريبة
4. مراقبة محاولات تصعيد الامتيازات بعد تنفيذ Claude Code
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (inadequate directory permission controls)
ECC 2024 A.5.2.1 - User Registration and Access Rights (privilege escalation)
ECC 2024 A.5.3.1 - Management of Privileged Access Rights (local privilege escalation)
ECC 2024 A.8.1.1 - User Endpoint Devices (shared system security)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory of Claude Code installations)
SAMA CSF PR.AC-1 - Access Control (directory permissions and privilege management)
SAMA CSF PR.AC-4 - Access Rights (principle of least privilege violation)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for unauthorized configuration changes)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management (inadequate access controls)
ISO 27001:2022 A.5.3 - Privileged Access Rights (privilege escalation vulnerability)
ISO 27001:2022 A.8.1 - User Endpoint Devices (endpoint security controls)
ISO 27001:2022 A.8.3 - Removable Media (configuration file integrity)
📦 المنتجات المتأثرة 1 منتج
anthropic:claude_code