During a pentest last year I found an issue which affected the Windows installation product packages for the following products from Utimaco
SecurityServer 3.x, 4.x up to version 4.31.1
PaymentServer 3.x, 4.x up to version 4.33.0
PaymentServer Hybrid 3.x, 4.x up to version 4.33.0
Block-safe 2.0.0, 3.0.0
CryptoServer CP5 22.214.171.124, 126.96.36.199, incl. CryptoServer CP5 Supporting CD and CryptoServer CP5 SDK CD
CryptoServer CP5 VS-NfD 188.8.131.52
CryptoServer SDK 3.x, 4.x up to version 4.31.1
The issue related to weak folder permissions which allowed for an escalation of privileges
The HSM Firmware was not affected by this issue.
Utimaco were very responsive when I reported this to them and kept me informed throughout their remediation process.
A security advisory document was produced for their clients which can be viewed using the Download button below.