How to fix CVE-2025-26624?

Within 30 days: Identify affected systems running Rufus 4.6.2208 and earlier and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

CVE-2025-26624

MEDIUM

2025-02-18 [email protected]

Privilege Escalation

6.8

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

CVE Published

Feb 18, 2025 - 23:15 nvd

MEDIUM 6.8

DescriptionNVD

Rufus is a utility that helps format and create bootable USB flash drives. A DLL hijacking vulnerability in Rufus 4.6.2208 and earlier versions allows an attacker loading and executing a malicious DLL with escalated privileges (since the executable has been granted higher privileges during the time of launch) due to the ability to inject a malicious cfgmgr32.dll in the same directory as the executable and have it side load automatically. This is fixed in commit 74dfa49, which will be part of version 4.7. Users are advised to upgrade as soon as version 4.7 becomes available. There are no known workarounds for this vulnerability.

AnalysisAI

Rufus is a utility that helps format and create bootable USB flash drives. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-426. Rufus is a utility that helps format and create bootable USB flash drives. A DLL hijacking vulnerability in Rufus 4.6.2208 and earlier versions allows an attacker loading and executing a malicious DLL with escalated privileges (since the executable has been granted higher privileges during the time of launch) due to the ability to inject a malicious cfgmgr32.dll in the same directory as the executable and have it side load automatically. This is fixed in commit 74dfa49, which will be part of version 4.7. Users are advised to upgrade as soon as version 4.7 becomes available. There are no known workarounds for this vulnerability. Version information: version 4.7..

Affected ProductsAI

Rufus 4.6.2208 and earlier versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-26624 vulnerability details – vuln.today

Back

CVE-2025-26624

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

CVE-2025-26624

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code