VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 15, 2026

CVE-2026-12201

CVE-2026-12201

Description

A local DLL sideloading vulnerability in IObit Malware Fighter up to 13.2.0 allows arbitrary file deletion via a crafted DLL in the user's path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A local DLL sideloading vulnerability in IObit Malware Fighter up to 13.2.0 allows arbitrary file deletion via a crafted DLL in the user's path.

Vulnerability

A flaw exists in the DLL loading mechanism of IObit Malware Fighter versions up to 13.2.0. By placing a malicious ProductNews2.dll in a user-writable directory (e.g., C:\users\\Appdata\local\Microsoft\WindowsApps), the application will load and execute the attacker's payload due to Windows DLL search order hijacking. The vulnerability affects the DLL Handler component and is triggered when the application searches for ProductNews2.dll in a path it controls [1][2].

Exploitation

Exploitation requires only local low-privileged access. The attacker must first delete the legitimate ProductNews2.dll from the IObit installation directory (C:\Program Files (x86)\IObit\IObit Malware Fighter\). Then the attacker places a crafted ProductNews2.dll (compiled as x86) into a directory listed in the user's system PATH environment variable. When IObit Malware Fighter starts or performs an operation that triggers loading of this DLL, the system will find the malicious DLL first. A proof-of-concept executable (poc.exe) is available that demonstrates file deletion by passing a target file path as an argument [1].

Impact

Successful exploitation allows an attacker to delete arbitrary files on the system with the privileges of the IObit Malware Fighter process, which typically runs at a high integrity level. This can lead to privilege escalation from a low-integrity or medium-integrity process to high integrity, enabling further compromise of the system. The impact is limited to file deletion; however, combined with other vulnerabilities or techniques, it could be leveraged for more severe consequences such as system instability or persistent denial of service [1][2].

Mitigation

As of the publication date (2026-06-15), the vendor (IObit) has not responded to the disclosure and no official patch or fix has been released for this vulnerability [1][2]. Users should exercise caution when running IObit Malware Fighter version 13.2.0 or earlier. Until a fix is available, security-conscious users may consider removing the application or monitoring DLL loading paths. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. GitHub - nasawyer7/IObitDriverav: (0 day) Deletes any file. Bypasses previous patch. IObit Malware Fighter v.13.2.0
  2. My 0-days in IObit

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

5

News mentions

0

No linked articles in our index yet.