CVE-2025-40979 is a high-severity DLL search order hijacking vulnerability affecting the Wave softphone application by Grandstream Networks, specifically the wave.exe executable on Windows 11 systems (version 1.27.8). The vulnerability arises from an uncontrolled search path element (CWE-427), where the application loads DLLs from a directory that can be influenced by a local attacker. In this case, the vulnerable executable searches for DLLs in the user's temporary directory (C:\Users\<user>\AppData\Local\Temp), which is writable by the user and potentially by other local processes. An attacker with local access can place a malicious DLL in this directory, which the application will load, leading to arbitrary code execution within the context of the user running the Wave application. This can enable persistence mechanisms and further compromise of the affected system. The vulnerability is specific to Windows 11 and does not affect earlier Windows versions. The CVSS v4.0 base score is 7.0, reflecting a high severity due to the combination of local attack vector, low complexity, no required privileges beyond local user, and partial user interaction. The vulnerability does not require elevated privileges but does require local access and user interaction, which limits remote exploitation but still poses a significant risk in environments where local access can be gained or where malicious insiders or compromised accounts exist. No known exploits in the wild have been reported yet, and no patches have been published at the time of this analysis.

For European organizations, this vulnerability presents a notable risk especially in environments where Grandstream Wave is deployed on Windows 11 endpoints. The ability for an attacker with local access to execute arbitrary code can lead to full compromise of the affected workstation, enabling lateral movement, data exfiltration, or persistence within the network. This is particularly concerning for organizations with sensitive communications or those relying on Wave for VoIP and unified communications, as compromised endpoints could lead to interception or manipulation of communications. The impact is heightened in sectors with high security requirements such as finance, government, healthcare, and critical infrastructure. Since the vulnerability requires local access, the threat is more pronounced in scenarios involving insider threats, compromised user accounts, or physical access to devices. The lack of a patch increases the window of exposure. Additionally, the specificity to Windows 11 means organizations rapidly adopting this OS version are at greater risk. Given the high confidentiality, integrity, and availability impact potential, European organizations should prioritize mitigation to prevent exploitation.

1. Restrict local access: Enforce strict access controls and endpoint security policies to limit who can log into or execute code on Windows 11 machines running Wave. 2. Application whitelisting: Use application control solutions to prevent unauthorized DLLs from loading or executing within the Wave application context. 3. Monitor and audit: Implement monitoring for unusual file creation or DLL loading activities in the user's Temp directory, and audit Wave application behavior for anomalies. 4. User education: Train users to recognize and report suspicious activity, especially regarding file downloads or execution in their user directories. 5. Temporary workaround: Until a patch is available, consider running Wave with reduced privileges or in a sandboxed environment to limit the impact of potential DLL hijacking. 6. Vendor engagement: Engage with Grandstream Networks for timely patch releases and apply updates as soon as they become available. 7. Endpoint detection and response (EDR): Deploy EDR solutions capable of detecting DLL hijacking attempts and anomalous process behaviors related to Wave. 8. Restrict write permissions: Where feasible, restrict write permissions to the Temp directory or isolate the environment to prevent unauthorized DLL placement. These measures combined can reduce the attack surface and mitigate the risk of exploitation.