Skip to main content

Powerattendant Standard Edition CVE-2026-5397

| EUVDEUVD-2026-22837 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-04-15 OMRON GHSA-wx9r-9hf2-wq9p
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 05:07 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 05:00 euvd
EUVD-2026-22837
Analysis Generated
Apr 15, 2026 - 05:00 vuln.today
CVE Published
Apr 15, 2026 - 04:11 nvd
HIGH 7.8

DescriptionCVE.org

It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges.

If a malicious DLL is placed in the installation directory of this product, there is a possibility that the malicious DLL may be executed by exploiting the product’s behavior of loading missing DLLs from the same directory as the executable during service startup.

AnalysisAI

DLL hijacking in OMRON PowerAttendant Standard Edition UPS management software allows local attackers with low privileges to escalate to SYSTEM by planting malicious libraries in the installation directory, which are loaded during service startup. The attack requires high complexity (vulnerable directory permissions must exist) but achieves scope change with full system compromise. No public exploit identified at time of analysis, though the DLL hijacking technique (CWE-427) is well-documented a

Technical ContextAI

This vulnerability stems from CWE-427 (Uncontrolled Search Path Element), specifically an insecure DLL search order combined with weak installation directory permissions. The PowerAttendant Standard Edition service runs with elevated privileges (likely LocalSystem or Administrator context) and loads DLLs from its application directory during startup without verifying integrity. When the installation directory has write permissions for low-privileged users (contrary to Windows security best practices that restrict Program Files to admins), an attacker can plant a malicious DLL that matches a missing or delay-loaded dependency name. During the next service restart, Windows DLL loading mechanism prioritizes the application directory, causing the malicious library to execute in the service's security context. The affected product is identified via CPE as cpe:2.3:a:omron_social_solutions_co.,_ltd.:powerattendant_standard_edition, indicating all versions prior to the patched release are vulnerable. This class of vulnerability is common in legacy Windows applications that predate modern secure development practices and fail to use DLL safe search mode or signature validation.

RemediationAI

Organizations should immediately apply the vendor-released security update detailed in OMRON advisory OMSR-2026-001, available at https://www.omron.com/global/en/inquiry/data/OMSR-2026-001_en.pdf and https://www.omron.com/jp/ja/inquiry/data/OMSR-2026-001_ja.pdf. The exact patched version number should be confirmed from these advisories, which contain specific upgrade instructions. As an interim mitigation until patching is completed, administrators should audit and restrict NTFS permissions on the PowerAttendant installation directory (typically under Program Files) to ensure only SYSTEM and Administrators groups have write access, removing any inherited permissions that grant Authenticated Users or standard user accounts modification rights. Additionally, implement application whitelisting or endpoint detection rules to monitor for unsigned DLL loads from the installation directory, and restrict interactive logon capabilities for accounts used to run systems hosting PowerAttendant to reduce the attack surface for initial access. In high-security environments, consider deploying the software in a hardened virtual machine or container with minimal user access until the patch is validated and deployed. Review logs for any unexpected service restarts or DLL load events that could indicate exploitation attempts.

Share

CVE-2026-5397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy