Security Experts:

Connect with us

Hi, what are you looking for?



NVIDIA Patches Command Execution Vulnerability in GeForce Experience

A recently patched vulnerability in the NVIDIA GeForce Experience (GFE) could be exploited for the execution of arbitrary commands on affected systems, Rhino Security Labs reveals.

A recently patched vulnerability in the NVIDIA GeForce Experience (GFE) could be exploited for the execution of arbitrary commands on affected systems, Rhino Security Labs reveals.

The NVIDIA GFE is a companion application installed alongside GeForce drivers, which allows users to capture and share videos, screenshots, and live streams, while also providing the means to keep drivers updated and game settings optimized. 

Tracked as CVE-2019-5678 and residing in a local “Web Helper” server that GFE launches on startup, the vulnerability could be exploited by tricking a victim into visiting a crafted web site and making a few key presses, David Yesland, security researcher with Rhino Security Labs, says.

“NVIDIA GeForce Experience contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure,” NVIDIA notes in an advisory.

At startup, GFE launches a local API server to control different aspects of the application, and all changes users made from the GUI interface likely make calls to the local API. The server, however, only accepts authenticated requests and Yesland says he could not find a bypass. 

He did find, however, that it was possible to make valid requests to the server even from a different Origin like an attacker controlled web site, provided that one was able to obtain the secret token. The attack, however, would be performed via a browser, as the implemented CORS policy allows for the request to come from any Origin. 

“This attack still required having knowledge of the secret token. The only way around this is if a user could be tricked into uploading the file containing the token. But since the secret token file has a static path and name this could be achieved fairly easily in the browser, which would only require the user to press a couple keys to achieve command injection,” Yesland explains. 

In Chrome, the researcher explains, the exploit requires pressing three keys, CTRL+V+Enter, which allows the copying of arbitrary text to the clipboard. In Firefox, however, “this step would require a mouse click of some kind,” he notes. 

The attack does require some user interaction, but it is minimal enough to trivially trick a user into performing the actions.

“The real issue here seems to be that the API allows Cross Origin Resource Sharing from any Origin, which means it is possible to perform an XHR request to any of the endpoints through the browser if the secret token were obtained through any method,” the security researcher says. 

NVIDIA addressed this vulnerability in the latest release of GFE by removing the endpoint which allows the command injection. The open CORS policy, however, hasn’t been changed and the nodejs.json file remains at a static location, meaning that it is still possible to interact with the API through the browser. 

Another security flaw that NVIDIA patched in GFE resides in the application incorrectly loading Windows system DLLs without validating the path or signature, which could be exploited by an attacker with local system access to escalate privileges through code execution. 

Related: NVIDIA Patches High Severity Bugs in GPU Display Driver

Related: NVIDIA Patches Serious Flaw in GeForce Experience Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet