CVE-2025-49148

| EUVD-2025-18119 HIGH
2025-06-11 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18119
CVE Published
Jun 11, 2025 - 15:15 nvd
HIGH 7.3

Tags

Microsoft RCE Privilege Escalation Windows

Description

ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5.

Analysis

DLL hijacking vulnerability in ClipShare Server for Windows (versions prior to 3.8.5) that allows local, non-privileged users to achieve arbitrary code execution and potential privilege escalation by placing malicious DLLs in the application directory. The vulnerability exploits Windows' default DLL search order, where the application directory is searched before system paths, and poses a reliable privilege escalation risk when ClipShare is run by elevated users. This is a local attack requiring write access to the installation directory.

Technical Context

This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), a class of weaknesses where applications load dynamic libraries from untrusted locations without proper validation. ClipShare Server for Windows uses the standard Windows DLL search order, which prioritizes the executable's directory over system directories. The vulnerability specifically involves system libraries like CRYPTBASE.dll and WindowsCodecs.dll, which are legitimately called by the application but loaded insecurely. The affected product is ClipShare (CPE: software/clipshare), specifically the Windows Server component versions before 3.8.5. The root cause is improper DLL search path configuration and lack of explicit full-path DLL loading or manifest-based DLL redirection controls.

Affected Products

ClipShare (All versions prior to 3.8.5)

Remediation

Upgrade to ClipShare version 3.8.5 or later; priority: Critical for systems running ClipShare under elevated privileges; verification: Verify version via Help > About or command line: clip_share.exe --version Access Control Mitigation: Restrict write permissions on the ClipShare installation directory to Administrator users only. Set NTFS ACLs to remove Users/Everyone write access.; command_example: icacls 'C:\Program Files\ClipShare' /inheritance:r /grant:r 'SYSTEM:(OI)(CI)F' /grant:r 'Administrators:(OI)(CI)F'; priority: High - immediate workaround while awaiting patch Deployment Hardening: Install ClipShare to a directory with restricted write permissions (not Program Files if possible, or ensure NTFS ACLs are enforced). Avoid installing to user-writable directories.; priority: Medium - preventative measure for new deployments Monitoring: Monitor for unexpected DLL files (CRYPTBASE.dll, WindowsCodecs.dll) appearing in the ClipShare installation directory. Alert on any file modifications in the installation directory.; priority: Medium - detective control

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-49148 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy