Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer.
AnalysisAI
DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.
Technical ContextAI
This vulnerability is a classic DLL search order hijacking attack (CWE-427: Uncontrolled Search Path Element). Windows applications, including installers, load DLLs at runtime by searching multiple directories in a specific order. When an application does not specify the full path to required DLLs, Windows searches the application's directory first, then system directories. The Bytello Share installer fails to use secure DLL loading practices such as specifying absolute paths or calling SetDllDirectory/SetDefaultDllSearchPaths to exclude the current directory. An attacker with write access to the installer's directory can place a malicious DLL with the same name as a legitimately-required library, causing the installer to load and execute the attacker's code instead. This affects the Windows Edition installer executable specifically, identified by CPE cpe:2.3:a:bytello:bytello_share_(windows_edition)_installer_executable prior to version 5.13.0.4246.
RemediationAI
Organizations should immediately upgrade to Bytello Share (Windows Edition) installer version 5.13.0.4246 or later, available from https://www.bytello.com/help/share/downloads. For environments managing software deployment centrally, replace all cached installer copies in distribution shares, SCCM/Intune packages, and local IT resource folders with the patched version. As a temporary mitigation for environments that cannot immediately refresh installer packages, implement these specific controls with their trade-offs: 1) Store installer executables only on administrator-controlled network shares with write permissions restricted to IT staff (prevents attacker DLL placement but requires network access during installation), 2) Verify installer digital signatures before execution and run only from read-only media or trusted download locations (adds operational overhead but prevents tampering), 3) Use Application Control policies (AppLocker/WDAC) to whitelist the legitimate installer hash and block DLL loading from user-writable directories during installation (complex policy configuration and may break legitimate installer functionality requiring testing). Note that already-installed Bytello Share software is not vulnerable - only the installation process itself is affected.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29912
GHSA-9wfr-j2f5-m367