Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a SaviAudio root CA certificate into the Windows trusted root certificate store. According to Savitech, this certificate is used for driver signing under Windows XP and is no longer necessary, but was not removed from installers for later operating systems. This issue has been assigned CVE-2017-9758.

There is currently no evidence that the Savitech private key is compromised. However, users are encouraged to remove the certificate out of caution. The two known certificates are:



SaviAudio root certificate #1

‎Validity: Thursday, ‎May ‎31, ‎2012 - ‎Tuesday, ‎December ‎30, ‎2036

Serial number: 579885da6f791eb24de819bb2c0eeff0

Thumbprint: cb34ebad73791c1399cb62bda51c91072ac5b050



SaviAudio root certificate #2

Validity: ‎Thursday, ‎December ‎31, ‎2015 - ‎Tuesday, ‎December ‎30, ‎2036

Serial number: ‎972ed9bce72451bb4bd78bfc0d8b343c

Thumbprint: 23e50cd42214d6252d65052c2a1a591173daace5



Savitech has released a new driver package to address the issue. Savitech drivers version 2.8.0.3 or later do not install the root CA certificate. Users still must remove any previously installed certificate manually.



The researchers have released a blog post with further details and impacts of this issue.