Description
Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.
Published: 2026-06-18
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker with local access can place a malicious DLL in the system’s temporary directory; when DFIR‑ORC, version 10.2.7 or earlier, starts, it extracts files from that directory with administrative privileges and automatically loads the DLL, giving the attacker full control. This flaw is a classic example of CWE‑427, where DLL search order hijacking allows elevation of privilege through an absolute path override.

Affected Systems

The vulnerability affects ANSSI’s DFIR‑ORC product, specifically releases 10.2.7 and earlier. Versions 10.2.8 and later mitigate the issue by restricting the temporary directory permissions, while version 10.3.0 provides a complete fix.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity risk. EPSS is not available and the flaw is not listed in the CISA KEV catalog, suggesting limited public exploitation. However, the attack requires local access to write to C:\Windows\Temp and subsequent execution of DFIR‑ORC, so the exploitation vector is local, and achieving administrative privileges is possible if the attacker can place the DLL and run the application.

Generated by OpenCVE AI on June 18, 2026 at 17:54 UTC.

Remediation

Vendor Solution

The vulnerability has been  fully addressed with an improved fix in 10.3.0.

Vendor Workaround

The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).

OpenCVE Recommended Actions

  • Upgrade DFIR‑ORC to version 10.3.0, which fully resolves the issue.
  • If immediate upgrade is not possible, employ the 10.2.8 mitigation by preventing use of overly permissive temporary directories and by not running the application as System unless /tempdir points to a protected location.
  • Restrict NTFS permissions on C:\Windows\Temp so that only trusted users can write to it, blocking malicious DLL injection.

Generated by OpenCVE AI on June 18, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.
Title Local privilege escalation in ANSSI’s DFIR-ORC
Weaknesses CWE-427
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-18T12:28:09.762Z

Reserved: 2026-06-11T07:32:37.322Z

Link: CVE-2026-11958

cve-icon Vulnrichment

Updated: 2026-06-18T12:28:05.462Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:00:11Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element