Summary

A potential privilege escalation issue was identified in InstallShield version 2025 R2 and earlier when running compressed Basic MSI setup with Prerequisites from an insecure location. If a local administrator launches a compressed Setup.exe with Prerequisites from an unsecured location, the Prerequisite installers also might load from an unsecured location, potentially leading to privilege escalation.

Resolution

It is important to follow security best practices to avoid running installers especially with elevated, administrator privileges from insecure or untrusted directories. A patch to address this issue for InstallShield 2025 R2 is available for download from the Product and License Center. Patches for InstallShield supported versions (2024 R2 and 2023 R2) will be available tomorrow on the Product and License Center.

Additional Information

For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank and give credit to Sandeep Kumar Singh (AMD).