Overview
Lakeside Software, an IT digital employee experience platform, offers a product called SysTrack, intended for endpoint observability. This program uses an executable called LsiAgent.exe, which attempts to load various Dynamic Link Library (DLL) files when run. The program does not properly check which files or places from which it loads the DLL files, allowing an attacker to place a malicious DLL file within a known System PATH variable on the victim device. When LsiAgent.exe runs, it will load the malicious code, resulting in code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. A patch has been provided by Lakeside Software, and the vulnerability is fixed in version 10.10.0.42 and higher.
Description
Lakeside Software, an IT digital employee experience company, offers a product called Systems Management Agent (SysTrack) that is intended for endpoint health and performance monitoring. The product contains various different programs and executables that are installed on a device. One of these programs is called LsiAgent.exe, which runs within the context of NT AUTHORITY\SYSTEM. Additionally, LsiAgent.exe runs on startup with default installation settings. A vulnerability has been discovered, tracked as CVE-2025-6241, which allows an attacker to achieve elevated code execution through placing malicious DLL files within a known System PATH environment variable, or by bundling the LsiAgent.exe program alongside another malicious DLL. The bundled DLL will be executed when the victim runs the supposedly safe LsiAgent.exe program.
System PATH variable settings are typically manipulated by other programs installed during normal use of a machine. When LsiAgent.exe is executed, it will iterate through the System PATH environment variable to search for a DLL titled 'wfapi.dll.' SysTrack uses the wdapi.dll file to verify if the system is running in a virtualized Citrix Environment. During the System PATH iteration process, LsiAgent.exe attempts to load and run the first file named wfapi.dll that it encounters within the System PATH variable. Therefore, an attacker would only need to provide their malicious DLL file named wfapi.dll within one of the System PATH variables to achieve code execution.
Impact
An attacker with the ability to place a file within any known System PATH environment variable on a victim machine can achieve remote code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. Furthermore, LsiAgent.exe is a signed program, so operations carried out by the program will be shown as being done by a legitimate program, heightening potential impact.
Solution
A patch has been provided by Lakeside Software to fix the affected LsiAgent.exe program. The vulnerable version, 10.05.0027, has been fixed in versions 10.10.0.42 and higher of LsiAgent.exe. The release notes of the version are available here: https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/10_10_0%20Hotfix%20Agent%20Release%20Notes%20On%20Premises.htm?tocpath=Release%20Notes%7CAgent%7C_____13
Acknowledgements
Thanks to the reporter Owen Sortwell and contributors Adam Merrill and Brian Healy of Sandia National Laboratories. This document was written by Christopher Cullen.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-6241 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-07-27 |
| Date First Published: | 2025-07-27 |
| Date Last Updated: | 2025-07-27 00:44 UTC |
| Document Revision: | 1 |