Skip to main content

AVACAST EUVDEUVD-2026-26028

| CVE-2026-7279 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-04-28 twcert
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 28, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 10:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Apr 28, 2026 - 10:15 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 10:00 euvd
EUVD-2026-26028
Analysis Generated
Apr 28, 2026 - 10:00 vuln.today
CVE Published
Apr 28, 2026 - 09:39 nvd
HIGH 8.5

DescriptionCVE.org

AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL.

AnalysisAI

Local privilege escalation in eMPIA Technology AVACAST allows authenticated local users to execute arbitrary code with SYSTEM privileges by placing a malicious DLL in a specific directory exploited during application startup. This DLL hijacking vulnerability (CWE-427) requires low-complexity exploitation with no user interaction once local access is obtained. Taiwan's TWCERT issued advisories on this vulnerability, indicating regional awareness though no CISA KEV listing or public exploit code has been identified at time of analysis.

Technical ContextAI

The vulnerability stems from insecure library loading (CWE-427: Uncontrolled Search Path Element), commonly known as DLL hijacking. When AVACAST launches, Windows searches for required DLLs using a predictable search order that includes user-writable directories before system paths. The application fails to specify absolute paths or validate DLL signatures, allowing attackers with local access and low privileges (PR:L) to plant malicious DLLs in the search path. When the application or system service loads the DLL, the attacker's code executes with the elevated privileges of the loading process-in this case, SYSTEM level. The affected product is identified via CPE as eMPIA Technology AVACAST, though specific version ranges are not provided in available data. CVSS 4.0 scoring indicates local attack vector (AV:L), low complexity (AC:L), and high impact to confidentiality, integrity, and availability (VC:H/VI:H/VA:H) with no scope change (SC:N/SI:N/SA:N).

RemediationAI

Consult the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10885-02d83-2.html for vendor-specific remediation guidance, as no independently confirmed patch version is available in NVD data at time of analysis. Organizations should contact eMPIA Technology directly for patch availability and update timelines. Until patched versions are deployed, implement compensating controls: (1) Restrict AVACAST installation directories to Administrator-only write permissions using NTFS ACLs, preventing standard users from placing files in application folders-this may break legitimate software updates requiring user intervention; (2) Deploy application whitelisting solutions (e.g., Windows Defender Application Control, AppLocker) configured to allow only signed DLLs from trusted publishers to load into AVACAST processes-this requires baseline policy development and may generate false positives during legitimate updates; (3) Monitor file creation events in AVACAST directories using EDR or SIEM tools, alerting on unauthorized DLL drops-generates operational overhead for security teams; (4) If AVACAST functionality permits, run the application with least-privilege service accounts rather than SYSTEM to limit post-exploitation impact-verify application functionality is maintained after privilege reduction.

Share

EUVD-2026-26028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy