Skip to main content

Microsoft CVE-2026-28760

| EUVDEUVD-2026-16125 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-03-26 jpcert GHSA-c8rm-hg85-p336
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 07:15 euvd
EUVD-2026-16125
Analysis Generated
Mar 26, 2026 - 07:15 vuln.today
CVE Published
Mar 26, 2026 - 06:54 nvd
HIGH 8.4

DescriptionCVE.org

The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs. If a user is directed to place a crafted DLL with the installer, an arbitrary code may be executed with the administrator privilege.

AnalysisAI

RATOC RAID Monitoring Manager for Windows contains a DLL hijacking vulnerability in its installer that loads DLLs from the current directory without proper path validation. If an attacker can place a malicious DLL in the directory where a user runs the installer, arbitrary code can be executed with administrator privileges. The vulnerability has a CVSS score of 8.4 with local attack vector requiring user interaction, and has been publicly disclosed through JPCERT coordination with vendor advisory available.

Technical ContextAI

This is a CWE-427 (Uncontrolled Search Path Element) vulnerability, commonly known as DLL hijacking or binary planting. The affected product is RATOC RAID Monitoring Manager for Windows (cpe:2.3:a:ratoc_systems,_inc.:ratoc_raid_monitoring_manager_for_windows) developed by RATOC Systems, Inc. The vulnerability occurs during the installation process when the installer searches for required DLLs using an insecure search order that includes the current working directory. Windows DLL search order typically checks the application directory before system directories, but when installers fail to use absolute paths or do not explicitly set safe DLL search modes, attackers can exploit this by placing malicious DLLs with names matching legitimate system libraries in directories where users might execute the installer. Since installers typically run with elevated privileges to write to protected system locations, successful exploitation grants administrator-level code execution.

RemediationAI

Download and install the updated version of RATOC RAID Monitoring Manager for Windows directly from the official RATOC Systems vendor advisory at https://www.ratocsystems.com/topics/userinfo/raidmanager202508/. When installing any software, including updates, ensure the installer is executed only from trusted locations such as official vendor download sites and that the installer file is stored in a directory with restricted write access to prevent DLL planting. Verify digital signatures on installer executables before running them to confirm authenticity. As a general security practice, avoid running installers from temporary directories, shared network locations, or user-writable folders where attackers could place malicious DLLs. Organizations should implement application control policies that restrict execution of unsigned or untrusted installers and educate users about the risks of downloading software from unofficial sources. For enterprise deployments, consider repackaging the installer using enterprise deployment tools that enforce secure installation paths.

Share

CVE-2026-28760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy