Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL.
AnalysisAI
D.Launcher 2, a component of the Slovak eID client ecosystem by Ditec a.s., exposes Windows users to NTLM credential theft and SSRF attacks via improperly handled custom URL protocol registrations. An unauthenticated remote attacker who convinces a victim to open a specially crafted URL can trigger outbound NTLM authentication or SMB connections to attacker-controlled infrastructure, leaking Net-NTLMv2 hashes suitable for offline cracking or relay attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-74 (Injection) covers failures to neutralize or validate special elements that alter the interpretation of a command or data structure. D.Launcher 2 registers multiple custom URL protocol handlers at the OS level - a Windows mechanism allowing applications to define URI schemes (e.g., 'dlauncher://') that the OS routes to the application when a user opens a matching URL. The root cause is insufficient validation of the destination or parameters embedded in these URLs, allowing attacker-supplied hostnames or paths to be passed through to Windows authentication subsystems or network APIs. This can force outbound NTLM authentication (leaking Net-NTLMv2 challenge/response hashes) to an attacker-controlled SMB server, or trigger SSRF where the application makes HTTP or other network requests to internal or external targets. The CPE cpe:2.3:a:ditec_a.s.:d.launcher_2:*:*:*:*:*:*:*:* indicates all known versions of D.Launcher 2 by Ditec a.s. are affected. This class of URL-handler abuse is well-documented in Windows ecosystems (cf. similar issues in Electron apps, Teams, and other custom URI scheme handlers).
RemediationAI
Update D.Launcher 2 to the patched version documented in Ditec's release notes at https://ditec.sk/static/kep/apps/release-notes/en. The exact fixed version number is not confirmed from available input data - the remediation version must be obtained directly from the Ditec release notes page. The Slovak government advisory at https://www.slovensko.sk/sk/oznamy/detail/_zranitelnost-aplikacie-d-launc should be consulted for official guidance. As a compensating control where immediate patching is not possible, administrators can deregister or block the D.Launcher 2 custom URL protocol handlers via Group Policy or registry modification (HKCU/HKLM\SOFTWARE\Classes\<scheme>) - this prevents the OS from routing malicious URLs to the application but will break legitimate D.Launcher 2 deep-link functionality. Additionally, egress firewall rules blocking outbound SMB (TCP 445) and NTLM authentication to non-domain-controller hosts can mitigate the credential-capture vector specifically, though this does not address the SSRF component. User awareness training to avoid clicking unknown or unsolicited URLs referencing custom URI schemes is a low-cost supplemental control.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33913
GHSA-qh4g-88ff-qrg3