A critical zero-day vulnerability has been discovered in the ClassLink Agent for Microsoft Windows, posing a significant risk to users.
This vulnerability, identified as a remote command execution flaw, can be triggered by simply visiting a malicious webpage.
Once the user is prompted to click “Allow,” the malicious code executes directly from the browser, enabling attackers to gain control of the system.
The exploit is currently being marketed on a dark web crime forum by a seller operating under the username “tikila.
According to the seller, this zero-day exploit boasts process continuation capabilities and a 100% success rate.
A user asked if the zero-day being discussed is related to a previous ClassLink RCE from 2018 that has already been patched. The seller responded that it is not the same and this is a relatively new vulnerability.

The asking price for this exploit remains undisclosed, and transactions are conducted exclusively through escrow, with proof of funds required from buyers.
ClassLink is a widely used agent for local file editing, and it is primarily used in educational settings to facilitate access to school resources.
This zero-day vulnerability specifically targets the ClassLink Agent, making it possible for attackers to execute commands and functions on a victim's computer with just a single click in the browser.
How it works
To show proof of the zero-day, the threat actor has shared a demonstration video via Google Drive.
The video showcases the exploit in action: upon clicking “Allow” or even “Deny,” the code executes.

This then results in the Command Prompt opening up for a millisecond to execute the code which then leads to opening the calculator program.
Subscribe to our newsletter

The fact that the malicious code executes regardless of the user's choice whether to click Allow or Deny creates a false sense of security, leading users to believe they can safely dismiss the pop-up, only to have the exploit run anyway.
This vulnerability is particularly concerning due to its ease of execution and the immediate impact it can have on compromised systems.
As of time of writing, a patch to address this zero-day is unlikely to be released in the near future, leaving users at risk.
In the meantime, organizations using ClassLink should review their security protocols and consider disabling or limiting the use of the agent until a fix is available.