Local Privilege Escalation via DLL Hijacking
Description
A DLL hijacking vulnerability was identified in the Qognify VMS Client Viewer version 7.1 or higher, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL, if some specific pre-conditions are met.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2>=7.1+ 1 more
- (no CPE)range: >=7.1
- (no CPE)range: >=7.1
Patches
Vulnerability mechanics
Root cause
"The application loads DLLs from the standard Windows search order without ensuring those directories are protected from untrusted writes, allowing a locally-placed malicious DLL to be loaded instead."
Attack vector
An attacker with low privileges on a Windows system drops a malicious DLL (e.g., CRYPTBASE.dll) into a directory within the DLL search order where they have write access — such as the application directory, system directory, Windows directory, current working directory, or a PATH directory [ref_id=1]. When a high-privileged user subsequently launches VMS_Client.exe, the application loads the attacker's DLL instead of a legitimate one, and the attacker's code executes at the elevated privilege level of the launching user [ref_id=1].
Affected code
The vulnerability affects the Qognify VMS Client/Viewer application (VMS_Client.exe) version 7.1 or higher. The application attempts to load multiple DLL files from the standard Windows DLL search order, and at least one missing DLL (e.g., CRYPTBASE.dll) can be hijacked [ref_id=1].
What the fix does
The vendor provides a hardening guide for customers that should be implemented to ensure no DLLs can be preloaded [ref_id=1]. No patch or code fix is described in the advisory; the recommended mitigation relies on securing file system permissions on directories in the DLL search order so that low-privileged attackers cannot write malicious DLLs into those locations [ref_id=1].
Preconditions
- configAttacker must have write access to at least one directory in the Windows DLL search order (application directory, system directory, Windows directory, current working directory, or a PATH directory)
- authA user with high privileges (e.g., local administrator) must launch VMS_Client.exe
- inputAttacker must be able to place a malicious DLL (e.g., CRYPTBASE.dll) into the writable directory
- configThe target system must be running Qognify VMS Client/Viewer version 7.1 or higher
Reproduction
Compile a malicious DLL using the provided C-code (e.g., `x86_64-w64-mingw32-gcc CRYPTBASE.c -shared -o CRYPTBASE.dll`) that creates a local admin user on `DLL_PROCESS_ATTACH` [ref_id=1]. Drop the resulting CRYPTBASE.dll into a directory within the DLL search order where the attacker has write access [ref_id=1]. Wait for or induce a high-privileged user to launch VMS_Client.exe; the DLL loads and the attacker's code executes with elevated privileges [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- r.sec-consult.com/qognifymitrethird-party-advisory
- seclists.org/fulldisclosure/2024/Mar/10mitre
News mentions
0No linked articles in our index yet.