CVE-2025-4539 is a critical vulnerability identified in Hainan ToDesk version 4.7.6.3, specifically within the DLL File Parser component, affecting the library profapi.dll. The vulnerability is characterized as an uncontrolled search path issue, which means that the application improperly handles the search order or locations for loading DLL files. This flaw can allow an attacker with local access and limited privileges (low privileges) to manipulate the DLL loading process, potentially causing the application to load a malicious DLL instead of the legitimate one. This can lead to unauthorized code execution or privilege escalation within the context of the ToDesk application. The attack complexity is considered high, and exploitation is difficult, requiring local access and no user interaction. The vulnerability impacts confidentiality, integrity, and availability at a high level, as indicated by the CVSS 4.0 score of 7.3. The vendor, Hainan, has not responded to early notifications about this issue, and no patch has been released yet. Although no known exploits are currently observed in the wild, the public disclosure of the exploit increases the risk of future exploitation. The vulnerability does not require user interaction but does require local privileges, which limits remote exploitation but still poses a significant risk in environments where local access can be gained or where multiple users share systems. The uncontrolled search path vulnerability is a classic DLL hijacking scenario, which can be leveraged to execute arbitrary code or escalate privileges if an attacker can place a malicious DLL in a location that the application searches before the legitimate DLL.

For European organizations, this vulnerability poses a significant risk, especially in environments where ToDesk is used for remote desktop or support functions. If exploited, attackers could gain unauthorized code execution capabilities on affected hosts, potentially leading to lateral movement within networks, data theft, or disruption of services. The high complexity and requirement for local access reduce the likelihood of widespread exploitation but do not eliminate the threat, particularly in environments with shared or poorly secured endpoints. Organizations in sectors with sensitive data or critical infrastructure could face confidentiality breaches or operational disruptions. The lack of vendor response and absence of patches increase the window of exposure, making timely mitigation by organizations themselves critical. Additionally, the uncontrolled search path vulnerability could be chained with other vulnerabilities or social engineering to escalate privileges or maintain persistence, amplifying the impact on European enterprises relying on ToDesk for remote access.

European organizations should immediately audit their use of Hainan ToDesk, specifically version 4.7.6.3, and restrict its deployment to trusted and secure environments. Since no official patch is available, organizations should implement the following specific mitigations: 1) Restrict local user permissions to prevent unauthorized users from placing or modifying DLL files in directories searched by ToDesk. 2) Use application whitelisting and integrity verification tools to monitor and block unauthorized DLL loads or modifications. 3) Employ endpoint detection and response (EDR) solutions to detect suspicious DLL loading behavior or privilege escalation attempts. 4) Isolate systems running ToDesk from untrusted networks and users to minimize local access risks. 5) Consider temporarily disabling or replacing ToDesk with alternative remote desktop solutions until a vendor patch is released. 6) Monitor security advisories closely for updates or patches from Hainan and apply them promptly once available. 7) Educate local users about the risks of executing untrusted code or placing files in application directories. These targeted mitigations go beyond generic advice by focusing on controlling DLL search paths, local privilege restrictions, and monitoring for exploitation attempts.