A high-risk vulnerability, rated as 7.8 in CVSS v3.1, affecting Windows 10.3.0 and earlier exists in the Hotspot Shield VPN client software. This allows an authorised user to potentially perform local privilege escalation.
The flaw exists in improper directory permissions on a log folder for the software client. It allows a local user to corrupt system files by creating specially crafted symbolic links to a critical file on the system. The user then overwrites it with the privileges of the application.
To mitigate this vulnerability, accurate Access Control List permissions should be set for any location where actions are performed by privileged processes. This includes the C:\ProgramData\Hotspot Shield\logs director