CWE-427
Uncontrolled Search Path Element
BaseDraft
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (303)
page 2 of 16| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-9497 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress 4 SDK installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9496 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9495 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210x VCP Windows installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9494 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210 VCP Win 2k installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9493 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in the ToolStick installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9492 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in Flash Programming Utility installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9491 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in Configuration Wizard 2 installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2024-9490 | Hig | 0.56 | 8.6 | 0.00 | Jan 24, 2025 | DLL hijacking vulnerabilities, caused by an uncontrolled search path in Silicon Labs (8-bit) IDE installer can lead to privilege escalation and arbitrary code execution when running the impacted installer. | |
| CVE-2026-7373 | Hig | 0.55 | — | 0.00 | May 15, 2026 | Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access. | |
| CVE-2026-21661 | Hig | 0.55 | — | 0.00 | May 6, 2026 | Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3. | |
| CVE-2022-50808 | Hig | 0.55 | 8.4 | 0.00 | Jan 13, 2026 | CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. | |
| CVE-2025-12852 | Hig | 0.55 | — | 0.00 | Nov 19, 2025 | DLL Loading vulnerability in NEC Corporation RakurakuMusen Start EX All Verisons allows a attacker to manipulate the PC environment to cause unintended operations on the user's device. | |
| CVE-2025-61161 | Hig | 0.55 | 8.4 | 0.00 | Oct 29, 2025 | DLL hijacking vulnerability in Evope Collector 1.1.6.9.0 and related components load the wtsapi32.dll library from an uncontrolled search path (C:\ProgramData\Evope). This allows local unprivileged attackers to execute arbitrary code or escalate privileges to SYSTEM by placing a crafted DLL in that location. The vulnerable component is Evope.Service.exe, which runs with SYSTEM privileges and automatically loads the DLL on startup or reboot. | |
| CVE-2025-56383 | Hig | 0.55 | 8.4 | 0.00 | Sep 26, 2025 | Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs when a user installs the product into a directory tree that allows write access by arbitrary unprivileged users. | |
| CVE-2024-13976 | Hig | 0.55 | — | 0.00 | Jul 25, 2025 | A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15. | |
| CVE-2024-11859 | Hig | 0.55 | — | 0.00 | Apr 7, 2025 | DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute its code. | |
| CVE-2024-2658 | Hig | 0.55 | — | 0.00 | Jan 30, 2025 | A misconfiguration in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) allows the OpenSSL configuration file to load from a non-existent directory. An unauthorized, locally authenticated user with low privileges can potentially create the directory and load a specially crafted openssl.conf file leading to the execution of a malicious DLL (Dynamic-Link Library) with elevated privileges. | |
| CVE-2017-7884 | Hig | 0.55 | 8.4 | 0.00 | Jun 16, 2017 | In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default installation of APCUPSD allows a local authenticated, but unprivileged, user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable that will run with SYSTEM privileges at startup. This occurs because of "RW NT AUTHORITY\Authenticated Users" permissions for %SYSTEMDRIVE%\apcupsd\bin\apcupsd.exe. | |
| CVE-2017-16777 | Hig | 0.54 | 7.8 | 0.00 | Nov 16, 2017 | If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root. | |
| CVE-2017-12579 | Hig | 0.54 | 7.8 | 0.01 | Oct 19, 2017 | An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. |