Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector with low complexity; requires an authenticated low-privileged user with write access to a search-path directory (PR:L), no user interaction, and full CIA impact in the affected user's context with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user.
AnalysisAI
Local privilege escalation and arbitrary code execution affects Yandex Punto Switcher through version 4.5.0.583 due to an unquoted search path passed to WinExec when launching RunDll32.exe to invoke shell32.dll's Control_RunDLL with input.dll. An authenticated local attacker who can drop an executable into an earlier directory in the Windows search order can hijack execution and run code in the context of the affected user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution as an interactive user on a Windows host where Yandex Punto Switcher 4.5.0.583 or earlier is installed, plus write access to a directory that precedes %SystemRoot%\System32 in the Windows executable search order used by WinExec (typically the application's working directory or a user-controlled entry on %PATH%). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) accurately reflects a local, low-complexity, low-privilege flaw with full CIA impact on the vulnerable system but no scope change - a score of 8.5 is appropriate for a reliable local code-execution primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard user (or malware already running as that user) drops a malicious rundll32.exe into a directory that appears in the executable search order before %SystemRoot%\System32 - for example a misconfigured user-writable entry on %PATH%, or the application's own working directory. When Punto Switcher next calls WinExec to launch 'RunDll32.exe shell32.dll,Control_RunDLL input.dll', Windows resolves the unqualified name to the attacker's binary and executes it in the user's context, giving the attacker persistence or a code-execution foothold each time the keyboard switcher uses that feature. … |
| Remediation | No vendor-released patch identified at time of analysis; monitor the Yandex product page at https://yandex.ru/soft/punto and the VulnCheck advisory at https://www.vulncheck.com/advisories/punto-switcher-unquoted-search-path-via-winexec for an updated build above 4.5.0.583 and upgrade as soon as one is released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct asset discovery to identify all endpoints running Punto Switcher v4.5.0.583 or earlier; classify by business function and user privilege levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-428 – Unquoted Search Path or Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37940
GHSA-w78p-vwm4-m8q9