CVE-2019-25268
DLL Hijacking in NREL BEopt 2.8 Allows Remote Code Execution
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nrel | beopt | 2.8.0.0 |
| nrel | beopt | 2.7.0.0 |
| nrel | beopt | 2.6.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a DLL hijacking issue in NREL BEopt software version 2.8.0.0 (also affecting versions 2.7.0.0 and 2.6.0.1). The application insecurely loads dynamic link libraries named "sdl2.dll" and "libegl.dll". An attacker can place malicious versions of these DLLs on remote WebDAV or SMB shares and trick a user into opening BEopt application files from those shares. This causes the application to load the attacker's malicious libraries instead of the legitimate ones, allowing the attacker to execute arbitrary code on the victim's system. [2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized code execution on the affected system. An attacker can gain the ability to run arbitrary commands or programs with the privileges of the user running BEopt, potentially compromising system security, stealing data, or causing other malicious effects. The vulnerability is rated with a high severity score (CVSS 3.1 base score 9.8), indicating a significant impact on confidentiality, integrity, and availability. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this DLL hijacking vulnerability involves monitoring for suspicious DLL loading behavior, especially for 'sdl2.dll' and 'libegl.dll' being loaded from remote WebDAV or SMB shares. One approach is to check if BEopt application files are being opened from remote shares and if these DLLs are loaded from unexpected locations. On Windows systems, tools like Sysinternals Process Monitor (Procmon) can be used to trace DLL loading paths. Commands to check network shares and loaded DLLs could include: 1) Using Procmon to filter for BEopt.exe and DLL load events. 2) Using PowerShell to check loaded modules in BEopt processes: `Get-Process -Name beopt | ForEach-Object { $_.Modules } | Where-Object { $_.ModuleName -in @('sdl2.dll','libegl.dll') }`. 3) Scanning SMB or WebDAV shares for presence of suspicious DLL files named 'sdl2.dll' or 'libegl.dll'. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid opening BEopt application files from untrusted or remote WebDAV or SMB shares to prevent loading malicious DLLs. 2) Restrict or monitor access to network shares where BEopt files reside. 3) Implement application whitelisting or DLL loading restrictions to ensure only legitimate DLLs are loaded. 4) If possible, update or patch BEopt software to a version that addresses this vulnerability (though no patch is mentioned in the resources). 5) Educate users about the risk of opening BEopt files from remote shares. 6) Use endpoint protection solutions to detect and block suspicious DLL loads or code execution attempts related to this vulnerability. [2, 3]