CVE-2016-15045
HIGH EPSS 27.7%
Published Jul 23, 202511mo ago · Modified Jun 17, 20261w ago
8.5 CVSS 4.0
Published Jul 23, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago
Description
A local privilege escalation vulnerability exists in lastore-daemon, the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co., Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7), the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon, resulting in arbitrary code execution as root.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
27.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-269 Improper Privilege Management Authorization
CWE-306 Missing Authentication for Critical Function Authentication
References 6
- github.com https://github.com/linuxdeepin/lastore-daemon
- raw.githubusercontent.com https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb
- deepin.org https://www.deepin.org/en/mirrors/releases/
- exploit-db.com https://www.exploit-db.com/exploits/39433
- exploit-db.com https://www.exploit-db.com/exploits/44523
- vulncheck.com https://www.vulncheck.com/advisories/deepin-lastore-daemon-priv-esc
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.