Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

892 vulnerabilities reference this CWE, most recent first.

CVE-2026-2516 (GCVE-0-2026-2516)

Vulnerability from cvelistv5 – Published: 2026-02-15 12:02 – Updated: 2026-04-13 06:42
VLAI
Title
Unidocs ezPDF DRM Reader/ezPDF Reader SHFOLDER.dll uncontrolled search path
Summary
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locally. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading the affected component is recommended. The vendor explains: "[W]e have already addressed similar DLL search path vulnerability patterns through prior security updates. (...) Users are advised to use the latest version provided by the vendor."
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Unidocs ezPDF DRM Reader Affected: 2.0
Affected: 3.0.0.4
Create a notification for this product.
Unidocs ezPDF Reader Affected: 2.0
Affected: 3.0.0.4
Create a notification for this product.
Credits
RoyalSnek (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2516",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T17:23:23.099624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T17:23:29.198Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ezPDF DRM Reader",
          "vendor": "Unidocs",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "3.0.0.4"
            }
          ]
        },
        {
          "product": "ezPDF Reader",
          "vendor": "Unidocs",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "3.0.0.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "RoyalSnek (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locally. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading the affected component is recommended. The vendor explains: \"[W]e have already addressed similar DLL search path vulnerability patterns through prior security updates. (...) Users are advised to use the latest version provided by the vendor.\""
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6,
            "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "Uncontrolled Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:42:44.784Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-346107 | Unidocs ezPDF DRM Reader/ezPDF Reader SHFOLDER.dll uncontrolled search path",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/346107"
        },
        {
          "name": "VDB-346107 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/346107/cti"
        },
        {
          "name": "Submit #736172 | Unidocs Inc. ezPDF DRM Reader / ezPDF Reader v3.0.0.4 / v2.0 Uncontrolled Search Path",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/736172"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gofile.me/7bU54/ZG47Lh7Yx"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "http://www.unidocs.com/programs/ezPDF_DRM_Reader/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-14T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-04-13T08:47:28.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Unidocs ezPDF DRM Reader/ezPDF Reader SHFOLDER.dll uncontrolled search path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2516",
    "datePublished": "2026-02-15T12:02:06.101Z",
    "dateReserved": "2026-02-14T19:41:22.319Z",
    "dateUpdated": "2026-04-13T06:42:44.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0662 (GCVE-0-2026-0662)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:28 – Updated: 2026-02-26 15:04
VLAI
Title
Untrusted Search Path Vulnerability when opening max Files
Summary
A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Autodesk 3ds Max Affected: 2026 , < 2026.3.2 (custom)
    cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0662",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T04:55:24.821645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:19.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "3ds Max",
          "vendor": "Autodesk",
          "versions": [
            {
              "lessThan": "2026.3.2",
              "status": "affected",
              "version": "2026",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized."
            }
          ],
          "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-471",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-471: Search Order Hijacking"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-04T16:28:31.980Z",
        "orgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
        "shortName": "autodesk"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.autodesk.com/products/autodesk-access/overview"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Untrusted Search Path Vulnerability when opening max Files",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
    "assignerShortName": "autodesk",
    "cveId": "CVE-2026-0662",
    "datePublished": "2026-02-04T16:28:31.980Z",
    "dateReserved": "2026-01-06T19:58:25.162Z",
    "dateUpdated": "2026-02-26T15:04:19.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0251 (GCVE-0-2026-0251)

Vulnerability from cvelistv5 – Published: 2026-05-13 18:20 – Updated: 2026-05-14 03:56
VLAI
Title
GlobalProtect App: Local Privilege Escalation Vulnerabilities
Summary
Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect™ app allow a local user to escalate their privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux. This enables a non-administrative user to execute arbitrary commands with administrative privileges. The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks GlobalProtect App Affected: 6.3.0 , < 6.3.3-h9 (6.3.3-999) (custom)
Affected: 6.2.0 , < 6.2.8-h10 (6.2.8-948) (custom)
Affected: 6.0.0 , < 6.0.13 (custom)
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*
Create a notification for this product.
Palo Alto Networks GlobalProtect App Affected: 6.3.0 , < 6.3.3-h9 (6.3.3-999) (custom)
Affected: 6.2.0 , < 6.2.8-h10 (6.2.8-948) (custom)
Affected: 6.0.0 , < 6.0.13 (custom)
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*
Create a notification for this product.
Palo Alto Networks GlobalProtect App Affected: 6.3.0 , < 6.3.3-h2 (6.3.3-42) (custom)
Affected: 6.0.0 , < 6.0.11 (custom)
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*
    cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*
Create a notification for this product.
Palo Alto Networks Global Protect App Unaffected: All (custom)
Create a notification for this product.
Date Public
2026-05-13 16:00
Credits
Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0251",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T03:56:34.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*"
          ],
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "GlobalProtect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3-h9 (6.3.3-999)",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3-h9 (6.3.3-999)",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.2.8-h10 (6.2.8-948)",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.2.8-h10 (6.2.8-948)",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.0.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.0.13",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*"
          ],
          "defaultStatus": "unaffected",
          "platforms": [
            "macOS"
          ],
          "product": "GlobalProtect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3-h9 (6.3.3-999)",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3-h9 (6.3.3-999)",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.2.8-h10 (6.2.8-948)",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.2.8-h10 (6.2.8-948)",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.0.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.0.13",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.12:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*",
            "cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*"
          ],
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GlobalProtect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3-h2 (6.3.3-42)",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3-h2 (6.3.3-42)",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "6.0.11",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.0.11",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Android",
            "ChromeOS",
            "iOS",
            "UWP"
          ],
          "product": "Global Protect App",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eNo special configuration is required to be affected by this issue.\u003c/p\u003e"
            }
          ],
          "value": "No special configuration is required to be affected by this issue."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "6.3.3-h9_(6.3.3-999)",
                  "versionStartIncluding": "6.3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "6.2.8-h10_(6.2.8-948)",
                  "versionStartIncluding": "6.2.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "6.0.13",
                  "versionStartIncluding": "6.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:*",
                  "versionEndExcluding": "6.3.3-h9_(6.3.3-999)",
                  "versionStartIncluding": "6.3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:*",
                  "versionEndExcluding": "6.2.8-h10_(6.2.8-948)",
                  "versionStartIncluding": "6.2.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:*",
                  "versionEndExcluding": "6.0.13",
                  "versionStartIncluding": "6.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:*",
                  "versionEndExcluding": "6.3.3-h2_(6.3.3-42)",
                  "versionStartIncluding": "6.3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:*",
                  "versionEndExcluding": "6.0.11",
                  "versionStartIncluding": "6.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "other",
          "value": "Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue."
        }
      ],
      "datePublic": "2026-05-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMultiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect\u2122 app allow a local user to escalate their privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux. This enables a non-administrative user to execute arbitrary commands with administrative privileges.\u003cbr\u003e\u003cbr\u003eThe GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.\u003c/p\u003e"
            }
          ],
          "value": "Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect\u2122 app allow a local user to escalate their privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux. This enables a non-administrative user to execute arbitrary commands with administrative privileges.\n\nThe GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePalo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e"
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of these issues."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:20:01.156Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2026-0251"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eMinor Version\u003c/th\u003e\u003cth\u003eSuggested Solution\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.0 on Windows\u003c/td\u003e\u003ctd\u003e6.0.0 through 6.0.12\u003c/td\u003e\u003ctd\u003eUpgrade to 6.0.13 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.2 on Windows\u003c/td\u003e\u003ctd\u003e6.2.0 through 6.2.8-h9\u003c/td\u003e\u003ctd\u003eUpgrade to 6.2.8-h10 (6.2.8-948) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.3 on Windows\u003c/td\u003e\u003ctd\u003e6.3.0 through 6.3.3-h8\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.3-h9 (6.3.3-999) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.0 on macOS\u003c/td\u003e\u003ctd\u003e6.0.0 through 6.0.12\u003c/td\u003e\u003ctd\u003eUpgrade to 6.0.13 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.2 on macOS\u003c/td\u003e\u003ctd\u003e6.2.0 through 6.2.8-h9\u003c/td\u003e\u003ctd\u003eUpgrade to 6.2.8-h10 (6.2.8-948) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.3 on macOS\u003c/td\u003e\u003ctd\u003e6.3.0 through 6.3.3-h8\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.3-h9 (6.3.3-999) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.0 on Linux\u003c/td\u003e\u003ctd\u003e6.0.0 through 6.0.10\u003c/td\u003e\u003ctd\u003eUpgrade to 6.0.11 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.2 on Linux\u003c/td\u003e\u003ctd\u003e6.2.0 through 6.2.9\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.3-h2 (6.3.3-42) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.3 on Linux\u003c/td\u003e\u003ctd\u003e6.3.0 through 6.3.3-h1\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.3-h2 (6.3.3-42) or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App on Android\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App on Chrome OS\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App on iOS\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App on UWP\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "VERSION                            MINOR VERSION            SUGGESTED SOLUTION\nGlobalProtect App 6.0 on Windows   6.0.0 through 6.0.12     Upgrade to 6.0.13 or later.\nGlobalProtect App 6.2 on Windows   6.2.0 through 6.2.8-h9   Upgrade to 6.2.8-h10 (6.2.8-948) or later.\nGlobalProtect App 6.3 on Windows   6.3.0 through 6.3.3-h8   Upgrade to 6.3.3-h9 (6.3.3-999) or later.\nGlobalProtect App 6.0 on macOS     6.0.0 through 6.0.12     Upgrade to 6.0.13 or later.\nGlobalProtect App 6.2 on macOS     6.2.0 through 6.2.8-h9   Upgrade to 6.2.8-h10 (6.2.8-948) or later.\nGlobalProtect App 6.3 on macOS     6.3.0 through 6.3.3-h8   Upgrade to 6.3.3-h9 (6.3.3-999) or later.\nGlobalProtect App 6.0 on Linux     6.0.0 through 6.0.10     Upgrade to 6.0.11 or later\nGlobalProtect App 6.2 on Linux     6.2.0 through 6.2.9      Upgrade to 6.3.3-h2 (6.3.3-42) or later.\nGlobalProtect App 6.3 on Linux     6.3.0 through 6.3.3-h1   Upgrade to 6.3.3-h2 (6.3.3-42) or later.\nGlobalProtect App on Android                                No action needed.\nGlobalProtect App on Chrome OS                              No action needed.\nGlobalProtect App on iOS                                    No action needed.\nGlobalProtect App on UWP                                    No action needed."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-13T16:00:00.000Z",
          "value": "Initial publication."
        }
      ],
      "title": "GlobalProtect App: Local Privilege Escalation Vulnerabilities",
      "workarounds": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eNo known workarounds exist for this issue.\u003c/p\u003e"
            }
          ],
          "value": "No known workarounds exist for this issue."
        }
      ],
      "x_affectedList": [
        "GlobalProtect App 6.0.12",
        "GlobalProtect App 6.0.11",
        "GlobalProtect App 6.0.10",
        "GlobalProtect App 6.0.8",
        "GlobalProtect App 6.0.7",
        "GlobalProtect App 6.0.6",
        "GlobalProtect App 6.0.5",
        "GlobalProtect App 6.0.4",
        "GlobalProtect App 6.0.3",
        "GlobalProtect App 6.0.2",
        "GlobalProtect App 6.0.1",
        "GlobalProtect App 6.0.0",
        "GlobalProtect App 6.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2026-0251",
    "datePublished": "2026-05-13T18:20:01.156Z",
    "dateReserved": "2025-11-03T20:44:11.930Z",
    "dateUpdated": "2026-05-14T03:56:34.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-67722 (GCVE-0-2025-67722)

Vulnerability from cvelistv5 – Published: 2025-12-16 00:14 – Updated: 2026-02-26 16:07
VLAI
Title
Authenticated amportal search for ‘freepbx_engine’ in non root writeable directories leads to potential privilege escalation
Summary
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
FreePBX framework Affected: < 16.0.45
Affected: >= 17.0.0, < 17.0.24
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-17T04:56:05.966962Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:07:34.753Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "framework",
          "vendor": "FreePBX",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 16.0.45"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0, \u003c 17.0.24"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -\u003e Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T22:11:11.719Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8"
        },
        {
          "name": "https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80"
        }
      ],
      "source": {
        "advisory": "GHSA-p42w-v77m-hfp8",
        "discovery": "UNKNOWN"
      },
      "title": "Authenticated amportal search for \u2018freepbx_engine\u2019 in non root writeable directories leads to potential privilege escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67722",
    "datePublished": "2025-12-16T00:14:18.746Z",
    "dateReserved": "2025-12-10T18:46:14.763Z",
    "dateUpdated": "2026-02-26T16:07:34.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65078 (GCVE-0-2025-65078)

Vulnerability from cvelistv5 – Published: 2026-02-03 20:51 – Updated: 2026-02-26 15:04
VLAI
Title
Untrusted search path vulnerability in Embedded Solutions Framework
Summary
An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65078",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T04:55:26.714128Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:23.262Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ",
          "vendor": "Lexmark",
          "versions": [
            {
              "lessThan": "250.210",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CSTAT, CXTAT, MSLBD, MXLBD, CSLBL, CXLBL, CSLBN, CXLBN, CSTMH, CXTMH, CSTPP, CXTPP, MSLSG, MXLSG",
          "vendor": "Lexmark",
          "versions": [
            {
              "lessThan": "230.507",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code."
            }
          ],
          "value": "An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-38",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T20:51:20.556Z",
        "orgId": "7bc73191-a2b6-4c63-9918-753964601853",
        "shortName": "Lexmark"
      },
      "references": [
        {
          "url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Untrusted search path vulnerability in Embedded Solutions Framework",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lexmark recommends a firmware update if your device has affected firmware.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Lexmark recommends a firmware update if your device has affected firmware."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7bc73191-a2b6-4c63-9918-753964601853",
    "assignerShortName": "Lexmark",
    "cveId": "CVE-2025-65078",
    "datePublished": "2026-02-03T20:51:20.556Z",
    "dateReserved": "2025-11-17T13:56:38.588Z",
    "dateUpdated": "2026-02-26T15:04:23.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64785 (GCVE-0-2025-64785)

Vulnerability from cvelistv5 – Published: 2025-12-09 20:21 – Updated: 2026-04-28 02:23
VLAI
Title
Acrobat Reader | Untrusted Search Path (CWE-426)
Summary
Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that the user needs to open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-426 - Untrusted Search Path (CWE-426)
Assigner
References
Impacted products
Vendor Product Version
Adobe Acrobat Reader Affected: 0 , ≤ 20.005.30803 (semver)
Create a notification for this product.
Date Public
2025-12-09 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64785",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-10T04:57:34.694118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:21:08.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Acrobat Reader",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "20.005.30803",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-12-09T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that the user needs to open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "Untrusted Search Path (CWE-426)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T02:23:21.663Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/acrobat/apsb25-119.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Acrobat Reader | Untrusted Search Path (CWE-426)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-64785",
    "datePublished": "2025-12-09T20:21:05.355Z",
    "dateReserved": "2025-11-11T22:48:38.823Z",
    "dateUpdated": "2026-04-28T02:23:21.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-60718 (GCVE-0-2025-60718)

Vulnerability from cvelistv5 – Published: 2025-11-11 17:59 – Updated: 2026-02-26 16:57
VLAI
Title
Windows Administrator Protection Elevation of Privilege Vulnerability
Summary
Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7171 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7171 (custom)
Create a notification for this product.
Date Public
2025-11-11 08:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-60718",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T04:57:34.031502Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:57:22.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7171",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7171",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7171",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.7171",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2025-11-11T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Untrusted search path in Windows Administrator Protection allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T20:46:06.306Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows Administrator Protection Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60718"
        }
      ],
      "title": "Windows Administrator Protection Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2025-60718",
    "datePublished": "2025-11-11T17:59:39.236Z",
    "dateReserved": "2025-09-26T05:03:24.537Z",
    "dateUpdated": "2026-02-26T16:57:22.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49642 (GCVE-0-2025-49642)

Vulnerability from cvelistv5 – Published: 2025-12-01 13:03 – Updated: 2025-12-01 14:36
VLAI
Title
Agent builds for AIX vulnerable to library loading hijacking
Summary
Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Zabbix Zabbix Affected: 6.0.0 , ≤ 6.0.36 (git)
Affected: 7.0.0 , ≤ 7.0.5 (git)
Affected: 7.2.0 , < 7.2.1 (git)
Create a notification for this product.
Credits
Zabbix wants to thank José Pina Coelho for finding and reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49642",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-01T14:36:06.559257Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-01T14:36:26.384Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Agent"
          ],
          "product": "Zabbix",
          "repo": "https://git.zabbix.com/",
          "vendor": "Zabbix",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.0.40",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "6.0.36",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "git"
            },
            {
              "changes": [
                {
                  "at": "7.0.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.0.5",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "git"
            },
            {
              "changes": [
                {
                  "at": "7.2.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "7.2.1",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eExploitation requires access to a local user account with write permissions to /home/cecuser.\u003c/p\u003e"
            }
          ],
          "value": "Exploitation requires access to a local user account with write permissions to /home/cecuser."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Zabbix wants to thank Jos\u00e9 Pina Coelho for finding and reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibrary loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory.\u003c/p\u003e"
            }
          ],
          "value": "Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-159",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-159: Redirect Access to Libraries"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T13:03:38.752Z",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "url": "https://support.zabbix.com/browse/ZBX-27283"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate AIX Zabbix Agent packages to their respective fixed versions.\u003c/p\u003e"
            }
          ],
          "value": "Update AIX Zabbix Agent packages to their respective fixed versions."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Agent builds for AIX vulnerable to library loading hijacking",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMake sure /home/cecuser directory is only accessible to trusted users.\u003c/p\u003e"
            }
          ],
          "value": "Make sure /home/cecuser directory is only accessible to trusted users."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2025-49642",
    "datePublished": "2025-12-01T13:03:38.752Z",
    "dateReserved": "2025-06-09T12:23:32.445Z",
    "dateUpdated": "2025-12-01T14:36:26.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49457 (GCVE-0-2025-49457)

Vulnerability from cvelistv5 – Published: 2025-08-12 22:54 – Updated: 2026-02-26 17:48
VLAI
Title
Zoom Clients for Windows - Untrusted Search Path
Summary
Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Date Public
2025-08-12 12:01
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T03:56:14.834393Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:48:42.934Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Zoom Clients for Windows",
          "vendor": "Zoom Communications Inc",
          "versions": [
            {
              "status": "affected",
              "version": "see references"
            }
          ]
        }
      ],
      "datePublic": "2025-08-12T12:01:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eUntrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-12T22:54:20.362Z",
        "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
        "shortName": "Zoom"
      },
      "references": [
        {
          "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25030"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Zoom Clients for Windows - Untrusted Search Path",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
    "assignerShortName": "Zoom",
    "cveId": "CVE-2025-49457",
    "datePublished": "2025-08-12T22:54:20.362Z",
    "dateReserved": "2025-06-04T22:48:18.920Z",
    "dateUpdated": "2026-02-26T17:48:42.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49456 (GCVE-0-2025-49456)

Vulnerability from cvelistv5 – Published: 2025-08-12 22:52 – Updated: 2025-08-13 13:24
VLAI
Title
Zoom Clients for Windows- Race Condition
Summary
Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact application integrity via local access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Date Public
2025-08-12 12:01
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49456",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T13:23:20.937393Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T13:24:11.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Zoom Clients for Windows",
          "vendor": "Zoom Communications Inc",
          "versions": [
            {
              "status": "affected",
              "version": "see references"
            }
          ]
        }
      ],
      "datePublic": "2025-08-12T12:01:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: transparent;\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eRace condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact  application integrity via\u003c/span\u003e\u003c/span\u003e \u003cspan style=\"background-color: transparent;\"\u003e\u003cspan style=\"background-color: transparent;\"\u003elocal access.\u003c/span\u003e\u003c/span\u003e"
            }
          ],
          "value": "Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact  application integrity via local access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426 Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-12T22:54:46.093Z",
        "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
        "shortName": "Zoom"
      },
      "references": [
        {
          "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25029"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Zoom Clients for Windows- Race Condition",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
    "assignerShortName": "Zoom",
    "cveId": "CVE-2025-49456",
    "datePublished": "2025-08-12T22:52:22.718Z",
    "dateReserved": "2025-06-04T22:48:18.920Z",
    "dateUpdated": "2025-08-13T13:24:11.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.