CVE-2025-40979
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-09-11
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grandstream_networks | wave | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40979 is a DLL search order hijacking vulnerability in the wave.exe executable of the Wave application by Grandstream Networks on Windows 11 (version 1.27.8). An attacker with local access can place a malicious file in the user's temporary directory (C:\Users\<user>\AppData\Local\Temp), which the application may load instead of the legitimate DLL, allowing the attacker to execute arbitrary code and maintain persistence on the system. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to execute arbitrary code on your Windows 11 system running the vulnerable Wave application. This means the attacker could run malicious software, potentially gaining control over your system, stealing data, or maintaining persistent access without your knowledge. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the version of the Wave application installed on Windows 11 systems. Specifically, check if the wave.exe executable is version 1.27.8 or earlier (prior to 1.27.11). Additionally, inspect the user's temporary directory (C:\Users\<user>\AppData\Local\Temp) for any suspicious or unexpected DLL files that could be used for hijacking. Commands to check the version and suspicious files could include: 1) Using PowerShell to get the version of wave.exe: Get-Item 'C:\Program Files\Wave\wave.exe' | Select-Object VersionInfo 2) Listing DLL files in the Temp directory: Get-ChildItem -Path 'C:\Users\<user>\AppData\Local\Temp' -Filter *.dll 3) Using Process Monitor or similar tools to monitor DLL loading by wave.exe for unusual paths or files. Note that detection requires local access and inspection of the affected system. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Wave application to version 1.27.11 or later, where this DLL search order hijacking vulnerability has been resolved. Additionally, restrict local user access to the system to prevent placing malicious files in the temporary directory. Monitoring and cleaning the user's temporary directory (C:\Users\<user>\AppData\Local\Temp) to remove any suspicious DLL files can also help reduce risk. Applying principle of least privilege and ensuring users do not have unnecessary write permissions to sensitive directories can further mitigate exploitation. [1]