CVE-2025-26861 is an uncontrolled search path element vulnerability found in RSUPPORT CO., LTD.'s RemoteCall Remote Support Program (for Operator) versions prior to 5.3.0. This vulnerability arises because the application loads DLLs from its own directory without validating the source or path, allowing an attacker to place a malicious DLL alongside the legitimate executable. When the program loads this crafted DLL, it results in arbitrary code execution under the context of the user running the application. The vulnerability requires local access and user interaction, such as convincing a user to launch the vulnerable program in a directory containing the malicious DLL. No privileges or authentication are needed, which lowers the barrier for exploitation once local access is obtained. The CVSS v3.0 score of 7.8 reflects high impact on confidentiality, integrity, and availability, as arbitrary code execution can lead to full system compromise, data theft, or disruption of services. Although no exploits are currently reported in the wild, the nature of the vulnerability makes it a significant risk, especially in environments where remote support tools are widely used. The lack of patch links suggests that users should monitor RSUPPORT's official channels for updates or consider upgrading to version 5.3.0 or later where the issue is resolved.

For European organizations, this vulnerability poses a serious risk, particularly for enterprises relying on RSUPPORT's RemoteCall for remote support operations. Successful exploitation can lead to unauthorized access to sensitive data, disruption of critical support services, and potential lateral movement within corporate networks. Industries such as finance, healthcare, and critical infrastructure that depend on remote support tools are especially vulnerable. The ability to execute arbitrary code without authentication means attackers can implant persistent malware, exfiltrate confidential information, or disrupt operations. Given the requirement for local access, insider threats or attackers who have already gained footholds through phishing or other means could leverage this vulnerability to escalate privileges or move laterally. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as public disclosure often leads to rapid development of exploit code. European organizations must therefore treat this vulnerability as a high priority for remediation to avoid potential targeted attacks.

To mitigate CVE-2025-26861, European organizations should immediately upgrade RemoteCall Remote Support Program to version 5.3.0 or later, where the vulnerability is fixed. Until patching is possible, implement strict file system permissions to prevent unauthorized users from writing or placing DLL files in the application directory. Employ application whitelisting and code integrity verification to detect and block unauthorized DLLs. Educate users about the risks of running software from untrusted directories and enforce policies that restrict execution of applications from user-writable locations. Network segmentation can limit the ability of attackers to gain local access to systems running the vulnerable software. Additionally, monitor system and application logs for unusual DLL loading activities or unexpected process behaviors. Organizations should also maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying suspicious DLL injection or code execution patterns. Finally, coordinate with RSUPPORT for official patches and advisories to ensure timely updates.