Skip to main content

Punto Switcher CVE-2026-25865

| EUVDEUVD-2026-37940 HIGH
Unquoted Search Path or Element (CWE-428)
2026-06-18 VulnCheck GHSA-w78p-vwm4-m8q9
8.5
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local attack vector with low complexity; requires an authenticated low-privileged user with write access to a search-path directory (PR:L), no user interaction, and full CIA impact in the affected user's context with no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 20:02 vuln.today

DescriptionCVE.org

Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user.

AnalysisAI

Local privilege escalation and arbitrary code execution affects Yandex Punto Switcher through version 4.5.0.583 due to an unquoted search path passed to WinExec when launching RunDll32.exe to invoke shell32.dll's Control_RunDLL with input.dll. An authenticated local attacker who can drop an executable into an earlier directory in the Windows search order can hijack execution and run code in the context of the affected user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user access on Windows host
Delivery
Identify writable directory ahead of System32 in search order
Exploit
Plant malicious rundll32.exe
Execution
Wait for Punto Switcher to call WinExec for Control_RunDLL input.dll
Persist
Hijacked binary executes in user context
Impact
Establish persistence or pivot

Vulnerability AssessmentAI

Exploitation Requires local code execution as an interactive user on a Windows host where Yandex Punto Switcher 4.5.0.583 or earlier is installed, plus write access to a directory that precedes %SystemRoot%\System32 in the Windows executable search order used by WinExec (typically the application's working directory or a user-controlled entry on %PATH%). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) accurately reflects a local, low-complexity, low-privilege flaw with full CIA impact on the vulnerable system but no scope change - a score of 8.5 is appropriate for a reliable local code-execution primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard user (or malware already running as that user) drops a malicious rundll32.exe into a directory that appears in the executable search order before %SystemRoot%\System32 - for example a misconfigured user-writable entry on %PATH%, or the application's own working directory. When Punto Switcher next calls WinExec to launch 'RunDll32.exe shell32.dll,Control_RunDLL input.dll', Windows resolves the unqualified name to the attacker's binary and executes it in the user's context, giving the attacker persistence or a code-execution foothold each time the keyboard switcher uses that feature. …
Remediation No vendor-released patch identified at time of analysis; monitor the Yandex product page at https://yandex.ru/soft/punto and the VulnCheck advisory at https://www.vulncheck.com/advisories/punto-switcher-unquoted-search-path-via-winexec for an updated build above 4.5.0.583 and upgrade as soon as one is released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset discovery to identify all endpoints running Punto Switcher v4.5.0.583 or earlier; classify by business function and user privilege levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy