CVE-2025-7676
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-07-29

Assigner: Dragos, Inc.

Description
DLL hijacking of all PE32 executables when run on Windows for ARM64 CPU architecture. This allows an attacker to execute code, if the attacker can plant a DLL in the same directory as the executable. Vulnerable versions of Windows 11 for ARM attempt to load Base DLLs that would ordinarily not be loaded from the application directory. Fixed in release 24H2, but present in all earlier versions of Windows 11 for ARM CPUs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-28
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7676
EUVD
EUVD-2025-22933
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
microsoft windows 11
microsoft windows 11
microsoft windows 11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7676 is a DLL hijacking vulnerability affecting Windows 11 versions 22H2 and 23H2 running on ARM64 CPUs. It allows an attacker to execute malicious code by placing a malicious DLL in the same directory as a PE32 executable. Windows attempts to load certain core 'Base' DLLs from the application's directory before the system directories, which was not expected behavior for these DLLs. This means if an attacker can get a malicious DLL into the executable's folder (such as the Downloads folder), they can hijack the DLL loading process and run arbitrary code when the executable runs. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker with local access to execute arbitrary code with the privileges of the user running the vulnerable executable. This can lead to compromise of system confidentiality, integrity, and availability. For example, if a user runs an installer or other PE32 application from an untrusted directory containing a malicious DLL, the attacker can gain control over the system or install malware. The impact is significant especially for software installers and other common PE32 applications on ARM64 Windows 11 systems prior to 24H2. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying PE32 executables running on Windows 11 ARM64 systems that load Base DLLs from application directories, especially if these executables are run from unsafe locations like the 'Downloads' folder. Detection involves checking for suspicious DLLs placed alongside executables. While no specific commands are provided, system administrators can use tools to monitor DLL loading behavior, verify the directories from which DLLs are loaded, and scan for unexpected DLL files in application directories. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading affected systems to Windows 11 24H2 or later, as the vulnerability is fixed in that release. Additionally, users should avoid running installers or PE32 executables from untrusted or unsafe directories such as the 'Downloads' folder. Moving installers to secure directories before execution reduces risk. Software vendors are advised to distribute installers within compressed archives (e.g., ZIP files) to ensure extraction into clean directories, mitigating DLL hijacking risks. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart