CVE-2025-40979
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2025-09-11

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
DLL search order hijacking vulnerability in the wave.exe executable for Windows 11, version 1.27.8. Exploitation of this vulnerability could allow attackers with local access to execute arbitrary code by placing an arbitrary file in the 'C:\Users<user>\AppData\Local\Temp' directory, which could lead to arbitrary code execution and persistence. This vulnerability is only replicable in versions of Windows 11 and does not affect earlier versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-40979
EUVD
EUVD-2025-27534
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grandstream_networks wave *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-40979 is a DLL search order hijacking vulnerability in the wave.exe executable of the Wave application by Grandstream Networks on Windows 11 (version 1.27.8). An attacker with local access can place a malicious file in the user's temporary directory (C:\Users\<user>\AppData\Local\Temp), which the application may load instead of the legitimate DLL, allowing the attacker to execute arbitrary code and maintain persistence on the system. [1]

Impact Analysis

This vulnerability can allow an attacker with local access to execute arbitrary code on your Windows 11 system running the vulnerable Wave application. This means the attacker could run malicious software, potentially gaining control over your system, stealing data, or maintaining persistent access without your knowledge. [1]

Detection Guidance

This vulnerability can be detected by verifying the version of the Wave application installed on Windows 11 systems. Specifically, check if the wave.exe executable is version 1.27.8 or earlier (prior to 1.27.11). Additionally, inspect the user's temporary directory (C:\Users\<user>\AppData\Local\Temp) for any suspicious or unexpected DLL files that could be used for hijacking. Commands to check the version and suspicious files could include: 1) Using PowerShell to get the version of wave.exe: Get-Item 'C:\Program Files\Wave\wave.exe' | Select-Object VersionInfo 2) Listing DLL files in the Temp directory: Get-ChildItem -Path 'C:\Users\<user>\AppData\Local\Temp' -Filter *.dll 3) Using Process Monitor or similar tools to monitor DLL loading by wave.exe for unusual paths or files. Note that detection requires local access and inspection of the affected system. [1]

Mitigation Strategies

The immediate mitigation step is to update the Wave application to version 1.27.11 or later, where this DLL search order hijacking vulnerability has been resolved. Additionally, restrict local user access to the system to prevent placing malicious files in the temporary directory. Monitoring and cleaning the user's temporary directory (C:\Users\<user>\AppData\Local\Temp) to remove any suspicious DLL files can also help reduce risk. Applying principle of least privilege and ensuring users do not have unnecessary write permissions to sensitive directories can further mitigate exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart