Description
The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application.
Published: 2026-02-03
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The installer for Roland Cloud Manager 3.1.19 and earlier contains an insecure DLL loading mechanism. This flaw is a classic example of a path‑based DLL injection vulnerability, identified as CWE‑427. If an attacker is able to influence which libraries are loaded during installation, they can place a malicious DLL in a location that the installer trusts and thus execute arbitrary code with the same privileges held by the application.

Affected Systems

Vulnerable systems are those running Roland Cloud Manager for Windows, version 3.1.19 or lower. The product is distributed by Roland Corporation under the Roland Cloud Manager suite. No other products or versions are known to be affected based on the current CNA information.

Risk and Exploitability

The risk profile is high: CVSS 8.4 indicates a serious impact. EPSS < 1 % suggests that exploitation, while technically feasible, is expected to be infrequent. The vulnerability is not listed in the CISA KEV catalog, meaning no active exploits have been reported yet. The attack vector is inferred to be local or remote, depending on whether the attacker can run the installer or supply a custom DLL; however, the description does not explicitly state the required conditions. In either case, success would give the attacker the same rights as the application, potentially compromising system integrity or allowing further lateral movement.

Generated by OpenCVE AI on April 18, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roland Cloud Manager to the latest version, which contains a fix for the insecure DLL loading.
  • Reinstall the application after verifying that no untrusted DLLs remain in the installation directories.
  • Configure the operating system or application settings to block automatic loading of DLLs from non‑trusted locations, ensuring that only signed, verified libraries can be used during installation.

Generated by OpenCVE AI on April 18, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Installer Loads Untrusted DLLs Leading to Arbitrary Code Execution in Roland Cloud Manager

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Roland Corporation
Roland Corporation roland Cloud Manager
Vendors & Products Roland Corporation
Roland Corporation roland Cloud Manager

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application.
Weaknesses CWE-427
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Roland Corporation Roland Cloud Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-03T16:01:27.410Z

Reserved: 2026-01-27T04:24:11.368Z

Link: CVE-2026-24694

cve-icon Vulnrichment

Updated: 2026-02-03T16:00:43.088Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T06:15:53.547

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses