Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local DLL-planting with no prior privileges (PR:N) but requiring the victim to run the installer (UI:R); full SYSTEM-level compromise gives C/I/A:H, scope unchanged.
Primary rating from Vendor (jpcert).
CVSS VectorVendor: jpcert
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary code may be executed with SYSTEM privilege.
AnalysisAI
Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) local write access to the exact folder where the Pupsman (pre-3.9.0) installer resides, allowing placement of a crafted DLL with the name the installer resolves, and (2) a user or administrator subsequently executing that installer (CVSS UI:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H) scores 8.4 and correctly captures the trade-off: high technical impact (full C/I/A on the vulnerable system, SYSTEM-level) but gated by local access and required user interaction - the victim must execute the installer from a directory the attacker has already written to. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to write to a shared directory or a user's Downloads folder plants a malicious DLL named to match one the Pupsman installer loads. When an administrator later runs the installer from that same folder, the planted DLL is loaded and executes attacker code with SYSTEM privilege. … |
| Remediation | Upgrade to Pupsman 3.9.0 or later, which the vendor released to address this issue (Vendor-released patch: 3.9.0); consult the vendor page at https://www.fujielectric.co.jp/products/power_supply/ups/product_detail/software_pupsman.html and the JVN advisory https://jvn.jp/en/jp/JVN62347140/ for download details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Pupsman prior to version 3.9.0 and restrict local administrator access; limit installer execution to authorized personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42165
GHSA-jrgq-cr5h-83px