Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attacker with a standard user account (AV:L, PR:L) drops a DLL and waits for an admin to run DFIR-ORC (UI:R); successful load yields admin code execution crossing a privilege boundary (S:C) with full CIA impact.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.
AnalysisAI
Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already have local code execution as a standard user on the target Windows host with write access to C:\Windows\Temp (the default ACL grants Users write-but-not-list permission, which is sufficient to drop a DLL with a known name). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:P) correctly characterizes this as a local, user-interaction-dependent escalation rather than a remote threat, but the VC/VI/VA:H plus SC/SI/SA:H impacts produce a base score of 7.3 because the outcome is full administrative compromise of the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged attacker who has already landed on a Windows endpoint drops a malicious DLL named after one of DFIR-ORC's expected dependencies into C:\Windows\Temp and waits. When an incident responder later runs DFIR-ORC (typically as administrator) to triage the host, the framework extracts itself into the same directory and loads the attacker's DLL, executing arbitrary code with administrator privileges. … |
| Remediation | Vendor-released patch: upgrade to DFIR-ORC v10.3.0 or later, which restricts ACLs on output and extraction directories to the current user and administrators and adds explicit ACL checks on DFIR-ORC related files (see https://github.com/DFIR-ORC/dfir-orc/releases/tag/v10.3.0 and the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/local-privilege-escalation-anssis-dfir-orc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running DFIR-ORC versions 10.2.7 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37877