During a pentest last year I found an issue which affected the Windows installation product packages for the following products from Utimaco
SecurityServer 3.x, 4.x up to version 4.31.1
PaymentServer 3.x, 4.x up to version 4.33.0
PaymentServer Hybrid 3.x, 4.x up to version 4.33.0
Block-safe 2.0.0, 3.0.0
CryptoServer CP5 220.127.116.11, 18.104.22.168, incl. CryptoServer CP5 Supporting CD and CryptoServer CP5 SDK CD
CryptoServer CP5 VS-NfD 22.214.171.124
CryptoServer SDK 3.x, 4.x up to version 4.31.1
The issue related to weak folder permissions which allowed for an escalation of privileges
The HSM Firmware was not affected by this issue.
Utimaco were very responsive when I reported this to them and kept me informed throughout their remediation process.
A security advisory document was produced for their clients which can be viewed using the Download button below.