Skip to main content

TrueConf Client CVE-2025-66835

HIGH
Uncontrolled Search Path Element (CWE-427)
2025-12-30 cve@mitre.org
7.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.1 HIGH

Local DLL-plant requires an existing low-priv user (AV:L, PR:L); loads on normal client startup (UI:N); code runs at user context yielding high C/I but no availability impact and no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:44 vuln.today

DescriptionCVE.org

TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context.

AnalysisAI

Local code execution in TrueConf Client 8.5.2 lets an already-authenticated local user run arbitrary code in the context of the victim user by planting a malicious wfapi.dll that the application loads insecurely (CWE-427). Publicly available exploit code exists, but there is no public exploit identified in the sense of active exploitation - it is not listed in CISA KEV and EPSS is low (0.17%, 6th percentile), indicating little observed real-world exploitation activity. The impact is confined to the current user's context (no privilege escalation to SYSTEM claimed).

Technical ContextAI

TrueConf Client is a Windows desktop endpoint for the TrueConf video-conferencing/UC platform. The flaw is a classic DLL search-order/uncontrolled-search-path hijacking issue (CWE-427, Uncontrolled Search Path Element): the application resolves and loads wfapi.dll without pinning a fully-qualified trusted path, so Windows' default loader search order can be abused to load an attacker-supplied DLL from a writable directory that precedes the legitimate one. wfapi.dll appears to be a dependency the client expects at load time; because the load is unqualified, any directory the attacker controls in the search path (e.g., the application's own install/working directory or the current working directory) becomes a code-injection vector. The single affected build is identified by CPE cpe:2.3:a:trueconf:trueconf:8.5.2, i.e. version 8.5.2 specifically.

RemediationAI

No vendor-released patch or fixed version is identified in the available data, so an exact upgrade target cannot be cited - check TrueConf's official advisories for a build newer than 8.5.2 before deploying. As specific compensating controls: ensure the TrueConf installation directory and any directory the client uses as its working/current directory are not writable by non-administrative users (tighten NTFS ACLs so standard users cannot drop wfapi.dll there), which removes the attacker's DLL-plant location at the cost of stricter directory management; verify that a legitimate signed wfapi.dll is present in the trusted application directory so the loader resolves it before any planted copy; and apply application-allowlisting (e.g., WDAC/AppLocker DLL rules) to block unsigned or unexpected DLLs from loading, accepting the operational overhead of maintaining allowlist rules. Monitor endpoints for creation of wfapi.dll in unexpected paths. The only external reference available is the third-party PoC at https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66835/README.md.

Share

CVE-2025-66835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy