{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/path-interception/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Punto Switcher (through 4.5.0.583)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","local-exploitation","windows","software-vulnerability","path-interception"],"_cs_type":"advisory","_cs_vendors":["Yandex"],"content_html":"\u003cp\u003eA critical local arbitrary code execution vulnerability, identified as CVE-2026-25865, affects Yandex Punto Switcher versions up to and including 4.5.0.583. This flaw stems from an unquoted search path element vulnerability where the application makes an insecure call to \u003ccode\u003eWinExec\u003c/code\u003e for \u003ccode\u003eRunDll32.exe\u003c/code\u003e without specifying a fully qualified path when invoking \u003ccode\u003eshell32.dll Control_RunDLL input.dll\u003c/code\u003e. This allows a local attacker, with minimal privileges, to craft and place a malicious executable named \u003ccode\u003eRunDll32.exe\u003c/code\u003e in a directory that is prioritized in the system's PATH environment variable. When Punto Switcher attempts to launch the legitimate \u003ccode\u003eRunDll32.exe\u003c/code\u003e, it instead executes the attacker-controlled binary, leading to arbitrary code execution in the context of the currently logged-in user. This vulnerability presents a significant risk for privilege escalation and persistent access on affected Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains local access to a system with an unpatched Punto Switcher installation (e.g., via social engineering, a prior low-privilege exploit, or physical access).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e The attacker identifies the Punto Switcher process's insecure call to \u003ccode\u003eWinExec(\u0026quot;RunDll32.exe shell32.dll Control_RunDLL input.dll\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Creation:\u003c/strong\u003e The attacker creates a malicious executable file and names it \u003ccode\u003eRunDll32.exe\u003c/code\u003e. This payload can perform actions such as establishing persistence, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Manipulation:\u003c/strong\u003e The attacker places their malicious \u003ccode\u003eRunDll32.exe\u003c/code\u003e in a directory (e.g., a user-writable folder) that is listed \u003cem\u003ebefore\u003c/em\u003e \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e in the system's environment \u003ccode\u003ePATH\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution Trigger:\u003c/strong\u003e The attacker waits for Punto Switcher to start or forces its execution, which causes Punto Switcher to attempt to call \u003ccode\u003eRunDll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHijacked Execution:\u003c/strong\u003e Due to the unquoted search path vulnerability, the operating system's loader resolves \u003ccode\u003eRunDll32.exe\u003c/code\u003e to the attacker's malicious binary located earlier in the PATH, rather than the legitimate one in \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution:\u003c/strong\u003e The malicious \u003ccode\u003eRunDll32.exe\u003c/code\u003e is executed by Punto Switcher, allowing the attacker to run arbitrary code with the privileges of the affected user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves local arbitrary code execution, enabling further actions like privilege escalation, data exfiltration, or system modification.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-25865 leads to local arbitrary code execution. This means an attacker, already having local access, can elevate their privileges or execute any code they choose on the affected system, potentially compromising the user's data and system integrity. Given the high CVSS base score of 7.8, the impact on confidentiality, integrity, and availability is considered high for the affected user's scope. This could lead to data theft, installation of additional malware, or complete system compromise within the user's context. There is no information available regarding specific victims or targeted sectors, but any Windows user running the vulnerable Punto Switcher software is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-25865 immediately\u003c/strong\u003e: Update Yandex Punto Switcher to a version beyond 4.5.0.583 as soon as a patch is available from the vendor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-25865 Exploitation - Malicious RunDll32.exe by Punto Switcher\u0026quot; to your SIEM\u003c/strong\u003e: Monitor for Punto Switcher processes launching \u003ccode\u003eRunDll32.exe\u003c/code\u003e from non-standard system paths.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule \u0026quot;Detects Unsigned RunDll32.exe Executing from Suspicious Paths\u0026quot; to your SIEM\u003c/strong\u003e: Monitor for \u003ccode\u003eRunDll32.exe\u003c/code\u003e executing from non-standard paths, especially if the binary is unsigned, as a general defense against path interception.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon process-creation logging\u003c/strong\u003e: Ensure detailed logging for \u003ccode\u003eprocess_creation\u003c/code\u003e events, including \u003ccode\u003eImage\u003c/code\u003e, \u003ccode\u003eCommandLine\u003c/code\u003e, \u003ccode\u003eParentImage\u003c/code\u003e, and \u003ccode\u003eHashes\u003c/code\u003e fields, to activate the rules above.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview system PATH environment variables\u003c/strong\u003e: Regularly audit system and user \u003ccode\u003ePATH\u003c/code\u003e variables for inclusion of non-standard, user-writable directories before system directories like \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T20:24:29Z","date_published":"2026-06-18T20:24:29Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/","summary":"CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.","title":"CVE-2026-25865: Punto Switcher Unquoted Search Path Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2026-25865-punto-switcher/"}],"language":"en","title":"CraftedSignal Threat Feed - Path-Interception","version":"https://jsonfeed.org/version/1.1"}