Researchers from security company Decoder have revealed a zero-day vulnerability in the Dropbox for Windows app.

The vulnerability is in the DropboxUpdater service for the software and is a local privilege escalation vulnerability which would allow attackers to overwrite files in the System directory. Once compromised the researchers were able to get a command-line shell with SYSTEM privileges.

The team had informed Dropbox of the vulnerability in September but after 90 days the company has yet to fix the issue.

In a statement Dropbox confirmed:

“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”

The attack also requires a local user, but could easily be used as part of a chain attack. Read more about the attack at BleepingComputer here.