Description
Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user.
Published: 2026-06-18
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Punto Switcher up to version 4.5.0.583 includes an unquoted search path element vulnerability. The application calls WinExec without providing a fully qualified path for RunDll32.exe, which means that if an attacker can place a malicious file earlier in the search order, the application will execute that file instead of the intended system library. This flaw allows a local user to run arbitrary code with the privileges of the affected process, effectively enabling local privilege escalation and arbitrary code execution.

Affected Systems

Yandex Punto Switcher versions through 4.5.0.583 are affected. Users running any of these releases without an updated version are at risk.

Risk and Exploitability

The CVSS score of 8.5 reflects a high‑severity local exploitation scenario. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the flaw remains dangerous because any local user who can influence the search order can trigger execution of arbitrary code. Attackers can achieve this by placing a malicious executable earlier in the search path, allowing the application to run it in the context of the affected user. The lack of network exposure limits the attack surface to local users, but the consequences of successful exploitation are severe.

Generated by OpenCVE AI on June 18, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Punto Switcher to the latest version that fixes the unquoted search path issue.
  • Remove or rename any files that could appear before RunDll32.exe in the system search order, such as malicious executables placed in directories that precede system directories in the PATH environment variable.
  • Configure the application or adjust the system PATH to use fully qualified paths only, and remove unnecessary directories from the search path for the affected user.

Generated by OpenCVE AI on June 18, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL input.dll. Attackers can place a malicious executable earlier in the search order to achieve arbitrary code execution in the context of the affected user.
Title Punto Switcher 4.5.0.583 Unquoted Search Path via WinExec
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T19:39:14.489Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25865

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element