CVE-2026-4255
DLL Hijacking in Thermalright TR-VISION HOME Enables Privilege Escalation
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Toreon
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thermalright | tr-vision_home | to 2.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a DLL search order hijacking issue in Thermalright TR-VISION HOME on Windows (64-bit). The application loads dynamic-link libraries (DLLs) using the default Windows search order, which includes directories that may be writable by non-privileged users.
An attacker who can place a malicious DLL with the same name as a legitimate one in a directory searched before trusted system locations can cause the application to load the malicious DLL instead. Since the application runs with administrative privileges and does not verify the integrity or digital signature of loaded DLLs, the malicious code executes with elevated privileges.
Successful exploitation requires the attacker to place a crafted malicious DLL in a user-writable directory included in the DLL search path and then trigger execution of the affected application.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges on the affected system by executing arbitrary code with administrative rights.
Because the malicious DLL runs with the same elevated privileges as the application, an attacker could gain full control over the system, potentially leading to unauthorized access, data modification, or system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of writable directories in the DLL search path used by Thermalright TR-VISION HOME and verifying if any malicious DLLs have been placed there.
You can inspect the directories in the DLL search order and check their permissions to identify if non-privileged users can write to them.
- Use the command 'where /R C:\ path_to_TR-VISION_HOME *.dll' on Windows to locate DLLs in the application directory and subdirectories.
- Check directory permissions with 'icacls <directory_path>' to see if non-privileged users have write access.
- Look for unexpected or suspicious DLL files in user-writable directories that are part of the DLL search path.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting write permissions on directories that are part of the DLL search path to prevent unprivileged users from placing malicious DLLs.
Avoid running the affected application with administrative privileges until the vulnerability is addressed.
Update the application to a version later than 2.0.5 if available, as this version is affected.
Consider using application whitelisting or other security controls to prevent unauthorized DLLs from being loaded.