The vulnerability allows a specially crafted URL to be processed by D.Launcher 2, which holds multiple custom URL handlers. When a user opens such a URL, the application could initiate a full NTLM authentication or establish an SMB connection to an attacker’s infrastructure, thereby leaking NTLM credentials. Additionally, the same misprocessing can be used to perform SSRF attacks that reach internal resources. The description states explicitly that user interaction is required, so the impact materializes only when a victim opens a malicious link.

The affected product is D.Launcher 2 from Ditec. Specific version information is not provided in the report, so all releases of the application are potentially vulnerable until a patch is available.

The CVSS score of 6.5 reflects a medium severity vulnerability with potential for moderate impact. The EPSS score is not available, suggesting current data is insufficient to gauge exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation as of now. Attackers would likely need to host a malicious SMB service or set up a server capable of receiving NTLM traffic; this inference is based on the description of initiating full NTLM authentication or SMB connection. Because user interaction is required, the risk is mitigated compared to purely remote exploits, but credential disclosure and SSRF could still be highly damaging if abused. The recommended monitoring should focus on SMB traffic originating from unknown or external hosts and on any user-initiated URL handling within the application.