Skip to main content

DFIR-ORC CVE-2026-11958

| EUVDEUVD-2026-37877 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-18 INCIBE
7.3
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Local attacker with a standard user account (AV:L, PR:L) drops a DLL and waits for an admin to run DFIR-ORC (UI:R); successful load yields admin code execution crossing a privilege boundary (S:C) with full CIA impact.

3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 12:31 vuln.today
Analysis Generated
Jun 18, 2026 - 12:31 vuln.today
CVE Published
Jun 18, 2026 - 11:01 cve.org
HIGH 7.3

DescriptionCVE.org

Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.

AnalysisAI

Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged shell on Windows host
Delivery
Drop malicious DLL in C:\Windows\Temp with hijack-target name
Exploit
Wait for administrator to launch DFIR-ORC
Execution
DFIR-ORC extracts and loads attacker DLL
Persist
Code executes with administrator privileges
Impact
Establish persistent admin foothold

Vulnerability AssessmentAI

Exploitation The attacker must already have local code execution as a standard user on the target Windows host with write access to C:\Windows\Temp (the default ACL grants Users write-but-not-list permission, which is sufficient to drop a DLL with a known name). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:P) correctly characterizes this as a local, user-interaction-dependent escalation rather than a remote threat, but the VC/VI/VA:H plus SC/SI/SA:H impacts produce a base score of 7.3 because the outcome is full administrative compromise of the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged attacker who has already landed on a Windows endpoint drops a malicious DLL named after one of DFIR-ORC's expected dependencies into C:\Windows\Temp and waits. When an incident responder later runs DFIR-ORC (typically as administrator) to triage the host, the framework extracts itself into the same directory and loads the attacker's DLL, executing arbitrary code with administrator privileges. …
Remediation Vendor-released patch: upgrade to DFIR-ORC v10.3.0 or later, which restricts ACLs on output and extraction directories to the current user and administrators and adds explicit ACL checks on DFIR-ORC related files (see https://github.com/DFIR-ORC/dfir-orc/releases/tag/v10.3.0 and the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/local-privilege-escalation-anssis-dfir-orc). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running DFIR-ORC versions 10.2.7 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy