CVE-2026-25865: Punto Switcher Unquoted Search Path Vulnerability

A critical local arbitrary code execution vulnerability, identified as CVE-2026-25865, affects Yandex Punto Switcher versions up to and including 4.5.0.583. This flaw stems from an unquoted search path element vulnerability where the application makes an insecure call to WinExec for RunDll32.exe without specifying a fully qualified path when invoking shell32.dll Control_RunDLL input.dll. This allows a local attacker, with minimal privileges, to craft and place a malicious executable named RunDll32.exe in a directory that is prioritized in the system's PATH environment variable. When Punto Switcher attempts to launch the legitimate RunDll32.exe, it instead executes the attacker-controlled binary, leading to arbitrary code execution in the context of the currently logged-in user. This vulnerability presents a significant risk for privilege escalation and persistent access on affected Windows systems.

Attack Chain

1. Initial Access: An attacker gains local access to a system with an unpatched Punto Switcher installation (e.g., via social engineering, a prior low-privilege exploit, or physical access).
2. Vulnerability Discovery: The attacker identifies the Punto Switcher process's insecure call to WinExec("RunDll32.exe shell32.dll Control_RunDLL input.dll").
3. Payload Creation: The attacker creates a malicious executable file and names it RunDll32.exe. This payload can perform actions such as establishing persistence, escalating privileges, or exfiltrating data.
4. Path Manipulation: The attacker places their malicious RunDll32.exe in a directory (e.g., a user-writable folder) that is listed before C:\Windows\System32 in the system's environment PATH variable.
5. Execution Trigger: The attacker waits for Punto Switcher to start or forces its execution, which causes Punto Switcher to attempt to call RunDll32.exe.
6. Hijacked Execution: Due to the unquoted search path vulnerability, the operating system's loader resolves RunDll32.exe to the attacker's malicious binary located earlier in the PATH, rather than the legitimate one in C:\Windows\System32.
7. Arbitrary Code Execution: The malicious RunDll32.exe is executed by Punto Switcher, allowing the attacker to run arbitrary code with the privileges of the affected user.
8. Impact: The attacker achieves local arbitrary code execution, enabling further actions like privilege escalation, data exfiltration, or system modification.

Impact

The successful exploitation of CVE-2026-25865 leads to local arbitrary code execution. This means an attacker, already having local access, can elevate their privileges or execute any code they choose on the affected system, potentially compromising the user's data and system integrity. Given the high CVSS base score of 7.8, the impact on confidentiality, integrity, and availability is considered high for the affected user's scope. This could lead to data theft, installation of additional malware, or complete system compromise within the user's context. There is no information available regarding specific victims or targeted sectors, but any Windows user running the vulnerable Punto Switcher software is at risk.

Recommendation

• Patch CVE-2026-25865 immediately: Update Yandex Punto Switcher to a version beyond 4.5.0.583 as soon as a patch is available from the vendor.
• Deploy the Sigma rule "Detects CVE-2026-25865 Exploitation - Malicious RunDll32.exe by Punto Switcher" to your SIEM: Monitor for Punto Switcher processes launching RunDll32.exe from non-standard system paths.
• Deploy the Sigma rule "Detects Unsigned RunDll32.exe Executing from Suspicious Paths" to your SIEM: Monitor for RunDll32.exe executing from non-standard paths, especially if the binary is unsigned, as a general defense against path interception.
• Enable Sysmon process-creation logging: Ensure detailed logging for process_creation events, including Image, CommandLine, ParentImage, and Hashes fields, to activate the rules above.
• Review system PATH environment variables: Regularly audit system and user PATH variables for inclusion of non-standard, user-writable directories before system directories like C:\Windows\System32.