(CVE-2025-10568) Arbitrary Code Execution in HP HyperX NGENUITY

Have you ever heard of a path hijacking attack before?

This article has been approved by HP for publication. The content on this blog is published for educational and informational purposes only.

Today I'd like to share my attack vector called path hijacking. A successful attack usually leads to arbitrary code execution. Not many sources mention it and there are few PoCs available. The concept is similar to DLL hijacking and unquoted service-path vulnerabilities, with a small twist. Hope everyone enjoys it!

What is Path Hijacking vulnerability?

According to MITRE description - https://attack.mitre.org/techniques/T1574/007/

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

To put it simply, when you install or run a program, it often depends on other binaries. For example, an updater executable might look for powershell.exe, which is typically located in C:\Windows\System32. If you open Environment Variables, you could see that the folder is registered in the system path variable. This means all variables can be accessed by simply type the binary name in the PowerShell terminal e.g. powershell, cmd, findstr, etc.

Windows icon > Search for "Environment Variables" keyword

So, what’s the problem here? Let’s imagine a program calls powershell via the PATH environment without specifying C:\Windows\System32\powershell. What happens? Windows will search the PATH and run the first powershell.exe it finds. But if a PATH entry contains a powershell.exe that appears before C:\Windows\System32, Windows will execute that one instead. That’s why we call it path hijacking!

Real-world scenario

As always, where's the fun if it isn't real? In this blog, I'm using HyperX NGENUITY software as a case study. I'm, of course, the researcher of this CVE.

During initial testing, I ran Procmon, a legitimate Microsoft process-monitoring tool, to analyze processes in real time. With a small filter configured, I could observe the software’s events every time a new process was launched.

ProcMon filter configuration for detecting new process launches

After monitoring processes for a while, I noticed HyperX NGENUITY service named "NGENUITY Helper service (NGenuity2Helper.exe)" was calling for wmic to run the command without specifying a WMIC full path (C:\Windows\System32\wbem\wmic.exe) when launching the program. Thus, this helper process is vulnerable to PATH hijacking attack.

Exploitation

There are 2 ways to exploit this and it depends on your privileges and scenario.

1. Low-privileged user — Plant a malicious wmic.exe in a directory that appears in PATH before C:\Windows\System32\wbem\. This method requires write access to that folder.

2. High-privileged user — If you can modify system PATH variables, create a new folder, place it before C:\Windows\System32\wbem\, and put your malicious binary there.

For a quick demonstration, I created a reverse shell executable using https://www.revshells.com/. You also need to compile C file to .EXE using your favorite compiler.

Next, I placed the malicious executable in a folder where I have write access. For this demonstration, I assumed the hijack folder is writable and present in the PATH.

Then I ran a listening port to wait for incoming connection from malicious executable file.

For the finale, open HyperX NGENUITY program and observe the connection was indeed sent to our listening port!

Looking at Procmon, we saw the NGENUITY Helper service execute a fake wmic.exe from our writable folder instead of C:\Windows\System32\wbem\wmic.exe. This proves our exploit succeeded.

Final

After I found this vulnerability, I immediately reported it to HP’s security team via coordinated vulnerability disclosure. Not long after my first email, they reached out and everything was resolved within the agreed timeframe between the researcher and HP. As for remediation, it’s straightforward: specify the full path. By specifying the full path to wmic.exe, the program prevents this class of path-hijacking attacks because it will not load wmic.exe from other folders via the PATH.

HP is releasing updated software to address the potential vulnerability. Use the following steps to resolve potential vulnerabilities.

1. Uninstall any versions of HyperX NGENUITY earlier than 5.32.0.0.

2. Install the latest version of HyperX NGENUITY (https://apps.microsoft.com/detail/9p1tbxr6qdcx).

So the latest version is no longer vulnerable to path hijacking.

Extra

If you want to report vulnerabilities in HP products to HP security team. You can follow these steps

1

Submit a report via the below link

https://enable.hp.com/potentialsecurityvulnerability-report

2

Follow Coordinated Vulnerability Disclosure Program instruction

For more details - https://www.cisa.gov/resources-tools/programs/coordinated-vulnerability-disclosure-program

3

[Optional] Send article draft to HP for review before publication

For those who want to publish the article: send a draft of your article to HP for review before publishing your findings.