PsExec has been vulnerable to a local privilege escalation for the last 14 years, according to security researcher David Wells. The vulnerability lies within the PSEXESVC service which is executed as SYSTEM on the machine. PsExec relies on named pipes to communicate with this service and, if an attacker manages to create the “PSEXESVC” named pipe before PSEXESVC runs, the service will be tricked into opening a named pipe it did not create or set protections for. This allows any low-privilege user to send data to the SYSTEM-level PSEXESVC service, effectively giving anyone with user access to a system the ability to gain full administrative rights to the machine the next time that any remote command is sent to that system by an administrator using PsExec.
This vulnerability has been confirmed to work as far back as version 1.72 released in 2006 through the current release (version 2.2) and requires an attacker to already have at least non-administrative access to the systems PsExec will be run on. Wells gave Microsoft 90 days to patch before disclosing the vulnerability. Although Microsoft has yet to release a patch, the third-party patch provider 0patch has released their own “micropatch” which is available for free through the 0patch Agent software. This micropatch only works for the latest version of PsExec, however. Organizations that do not wish to rely on or trust a third-party patch may need to weigh the risk of continuing to use PsExec if Microsoft does not release an update.