{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3780/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-3780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve-2026-3780","untrusted-search-path","dll-hijacking","installer"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3780 describes a local privilege escalation vulnerability affecting an application installer. The installer, when executed, operates with elevated privileges. However, it resolves the location of system executables and DLLs using an untrusted search path. This untrusted path includes directories writable by standard users. An attacker can exploit this by placing malicious binaries, named identically to legitimate system files, in these user-writable directories. When the installer attempts to load or execute these system files, the attacker\u0026rsquo;s malicious versions are used instead, due to the flawed search path resolution. This leads to arbitrary code execution with elevated privileges, thereby escalating the attacker\u0026rsquo;s privileges on the local system. This vulnerability was reported in Foxit products and poses a significant risk to systems where the vulnerable installer is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a user-writable directory included in the application installer\u0026rsquo;s search path.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the application installer to determine which system executables or DLLs it attempts to load or execute.\u003c/li\u003e\n\u003cli\u003eThe attacker creates malicious binaries that mimic the names of the targeted system files.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious binaries into the user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the vulnerable application installer, typically requiring some user interaction (e.g., clicking \u0026ldquo;Install\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe installer, running with elevated privileges, attempts to load or execute the legitimate system files.\u003c/li\u003e\n\u003cli\u003eDue to the untrusted search path, the installer loads or executes the attacker\u0026rsquo;s malicious binaries instead of the legitimate ones.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with elevated privileges, allowing the attacker to perform actions such as creating new accounts, installing software, or modifying system settings, thereby achieving local privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3780 allows a local attacker to gain elevated privileges on the system. This means an attacker with limited access can perform administrative tasks, install malware, access sensitive data, and potentially compromise the entire system. The severity is high because it bypasses normal security controls and can lead to a full system compromise from a limited starting point. This poses a significant risk to any system running the affected application installer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DLL Hijacking via Installer\u0026rdquo; to detect the creation of malicious DLLs in user-writable directories, referencing the rule details below.\u003c/li\u003e\n\u003cli\u003eEnable file creation monitoring in user-writable directories (e.g., %TEMP%, %APPDATA%) to provide data for the Sigma rule and to detect suspicious file activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of unexpected binaries within the context of the application installer, leveraging the rule \u0026ldquo;Detect Suspicious Process Execution by Installer\u0026rdquo; defined below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T02:16:03Z","date_published":"2026-04-01T02:16:03Z","id":"/briefs/2026-04-untrusted-search-path/","summary":"An application installer vulnerable to CVE-2026-3780 runs with elevated privileges but resolves system executables and DLLs using an untrusted search path, enabling local privilege escalation by allowing a local attacker to inject malicious binaries.","title":"CVE-2026-3780: Local Privilege Escalation via Untrusted Search Path in Application Installer","url":"https://feed.craftedsignal.io/briefs/2026-04-untrusted-search-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3780","version":"https://jsonfeed.org/version/1.1"}