Skip to main content

D.Launcher 2 CVE-2026-8993

| EUVDEUVD-2026-33913 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-02 SK-CERT GHSA-qh4g-88ff-qrg3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 13:01 EUVD
Analysis Generated
Jun 02, 2026 - 11:51 vuln.today

DescriptionCVE.org

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL.

AnalysisAI

D.Launcher 2, a component of the Slovak eID client ecosystem by Ditec a.s., exposes Windows users to NTLM credential theft and SSRF attacks via improperly handled custom URL protocol registrations. An unauthenticated remote attacker who convinces a victim to open a specially crafted URL can trigger outbound NTLM authentication or SMB connections to attacker-controlled infrastructure, leaking Net-NTLMv2 hashes suitable for offline cracking or relay attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-74 (Injection) covers failures to neutralize or validate special elements that alter the interpretation of a command or data structure. D.Launcher 2 registers multiple custom URL protocol handlers at the OS level - a Windows mechanism allowing applications to define URI schemes (e.g., 'dlauncher://') that the OS routes to the application when a user opens a matching URL. The root cause is insufficient validation of the destination or parameters embedded in these URLs, allowing attacker-supplied hostnames or paths to be passed through to Windows authentication subsystems or network APIs. This can force outbound NTLM authentication (leaking Net-NTLMv2 challenge/response hashes) to an attacker-controlled SMB server, or trigger SSRF where the application makes HTTP or other network requests to internal or external targets. The CPE cpe:2.3:a:ditec_a.s.:d.launcher_2:*:*:*:*:*:*:*:* indicates all known versions of D.Launcher 2 by Ditec a.s. are affected. This class of URL-handler abuse is well-documented in Windows ecosystems (cf. similar issues in Electron apps, Teams, and other custom URI scheme handlers).

RemediationAI

Update D.Launcher 2 to the patched version documented in Ditec's release notes at https://ditec.sk/static/kep/apps/release-notes/en. The exact fixed version number is not confirmed from available input data - the remediation version must be obtained directly from the Ditec release notes page. The Slovak government advisory at https://www.slovensko.sk/sk/oznamy/detail/_zranitelnost-aplikacie-d-launc should be consulted for official guidance. As a compensating control where immediate patching is not possible, administrators can deregister or block the D.Launcher 2 custom URL protocol handlers via Group Policy or registry modification (HKCU/HKLM\SOFTWARE\Classes\<scheme>) - this prevents the OS from routing malicious URLs to the application but will break legitimate D.Launcher 2 deep-link functionality. Additionally, egress firewall rules blocking outbound SMB (TCP 445) and NTLM authentication to non-domain-controller hosts can mitigate the credential-capture vector specifically, though this does not address the SSRF component. User awareness training to avoid clicking unknown or unsolicited URLs referencing custom URI schemes is a low-cost supplemental control.

Share

CVE-2026-8993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy