CVE-2026-25865
Received Received - Intake
Punto Switcher Unquoted Search Path Local Code Execution

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: VulnCheck

Description
Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-25865
EUVD
EUVD-2026-37940
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yandex punto_switcher to 4.5.0.583 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25865 is an unquoted search path vulnerability in Punto Switcher version 4.5.0.583 and earlier. The application calls the Windows API WinExec without specifying a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Because of this, Windows searches directories in order to find RunDll32.exe, and if an attacker with local access places a malicious executable named RunDll32.exe in a directory searched earlier, that malicious code will be executed instead of the legitimate one.

This vulnerability allows local attackers to execute arbitrary code with the privileges of the affected user by hijacking the search path used by the application.

Impact Analysis

If exploited, this vulnerability can allow a local attacker to execute arbitrary code on your system with the same privileges as the user running Punto Switcher.

This means an attacker could run malicious programs, potentially leading to data theft, system compromise, or further escalation of privileges if the user has administrative rights.

The attack requires local filesystem access but can lead to full administrative code execution if the user has elevated privileges.

Detection Guidance

This vulnerability manifests during the execution of Punto Switcher when it calls WinExec without a fully qualified path for RunDll32.exe. Detection involves auditing the filesystem for unquoted path elements and checking directories in the search order for malicious executables named RunDll32.exe placed earlier than the legitimate system directory.

Since the vulnerability requires local filesystem access and is not detectable via static scanning, runtime analysis or manual inspection is necessary.

  • Check for presence of suspicious RunDll32.exe files in directories that appear earlier in the system PATH environment variable than the legitimate System32 directory.
  • Use commands like `where RunDll32.exe` in Windows Command Prompt to see which executable is resolved first.
  • Audit directories in the PATH environment variable for unquoted spaces or suspicious executables.
  • Review file permissions to identify if untrusted users can write to directories earlier in the search order.
Mitigation Strategies

Immediate mitigation steps include auditing and restricting write permissions on directories that appear earlier in the search order than the legitimate System32 directory to prevent attackers from placing malicious executables.

Avoid running Punto Switcher with administrative privileges to limit the impact of potential arbitrary code execution.

Since no patch is currently available, monitor for updates from the vendor and consider disabling or uninstalling Punto Switcher if possible until a fix is released.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25865. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart