CVE-2026-36574
DLL Hijacking in CactusViewer v2.3.0
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wassimulator | cactusviewer | 2.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36574 is a DLL hijacking vulnerability in CactusViewer v2.3.0, a Windows application. The vulnerability allows an attacker to escalate privileges and execute arbitrary code by placing a malicious DLL in the same directory as the CactusViewer executable.
When CactusViewer launches, it searches for several DLL files (such as D3DCOMPILER_47.dll, d3d11.dll, dxgi.dll, CRYPTSP.dll, d3d10warp.dll, and Wldp.dll) in its own directory before checking the Windows system directory. Because these DLLs are not part of the Windows KnownDLLs registry, Windows does not enforce loading them from the system directory, allowing the malicious DLL to be loaded instead.
This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element) and requires user interaction to exploit (launching the executable). The attacker can achieve arbitrary code execution in the context of the user running the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the DLL hijacking vulnerability in CactusViewer v2.3.0 on compliance with common standards and regulations such as GDPR or HIPAA.
However, since the vulnerability allows arbitrary code execution with the privileges of the user running the application, it could potentially lead to unauthorized access or manipulation of sensitive data, which may indirectly affect compliance with data protection regulations.
No explicit references to compliance implications or regulatory impact are mentioned in the available resources.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code with the privileges of the user running CactusViewer. This means the attacker could potentially escalate privileges, install malware, steal data, or perform other malicious actions on the affected system.
The attack requires placing a malicious DLL in the application directory and having the user launch the application, making social engineering or physical access possible attack vectors.
Because the vulnerability allows code execution, it can compromise system integrity, confidentiality, and availability depending on the attacker's goals and the user's privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the CactusViewer v2.3.0 application directory contains any unexpected or suspicious DLL files that could be malicious. Since the vulnerability involves DLL hijacking, an attacker places a malicious DLL in the same directory as the executable.
You can manually inspect the directory where CactusViewer.exe is located for DLL files named like D3DCOMPILER_47.dll, d3d11.dll, dxgi.dll, CRYPTSP.dll, d3d10warp.dll, or Wldp.dll that are not from the official Windows system directory.
Suggested commands to detect suspicious DLLs in the application directory on Windows include:
- Use PowerShell to list DLL files in the application directory: Get-ChildItem -Path "C:\Path\To\CactusViewer" -Filter *.dll
- Check the digital signature of DLL files to verify authenticity: Get-AuthenticodeSignature -FilePath "C:\Path\To\CactusViewer\suspicious.dll"
- Use Process Monitor (ProcMon) from Sysinternals to monitor DLL loading by CactusViewer.exe and detect if it loads DLLs from unexpected locations.
Since the vulnerability requires user interaction (launching the executable), monitoring process execution and DLL load paths can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the application from loading DLLs from untrusted directories by restricting the DLL search path.
- Use absolute paths for loading DLLs within the application to avoid searching in the application directory.
- Modify the application to call SetDllDirectory("") at startup to remove the current directory from the DLL search path.
- Use SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) to restrict DLL loading to the Windows System32 directory.
Additionally, ensure that no untrusted DLL files exist in the application directory and educate users not to run the vulnerable application until a patch is available.