CVE-2026-25865: Unquoted Search Path or Element in Yandex Punto Switcher
Yandex Punto Switcher versions up to 4.5.0.583 contain an unquoted search path vulnerability. This flaw allows local attackers to execute arbitrary code by placing a malicious executable earlier in the search order when the application calls WinExec without quoting the path for RunDll32.exe. The vulnerability affects the way the application invokes shell32.dll Control_RunDLL input.dll, enabling code execution in the context of the affected user.
AI Analysis
Technical Summary
CVE-2026-25865 is an unquoted search path vulnerability in Yandex Punto Switcher through version 4.5.0.583. The application calls WinExec to run RunDll32.exe without a fully qualified and quoted path, specifically when invoking shell32.dll Control_RunDLL input.dll. Because of this, a local attacker can place a malicious executable in a directory that appears earlier in the system's search path, causing the malicious code to be executed with the privileges of the user running Punto Switcher.
Potential Impact
Successful exploitation allows local attackers to execute arbitrary code with the privileges of the affected user. This can lead to unauthorized actions on the system, including potential privilege escalation if the user has elevated rights. The vulnerability does not require user interaction and has a high CVSS 4.0 score of 8.5, indicating significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should restrict local access to trusted users only and consider running the application with least privilege. Avoid placing untrusted directories early in the system PATH environment variable. Monitor for vendor updates regarding an official patch or workaround.
CVE-2026-25865: Unquoted Search Path or Element in Yandex Punto Switcher
Description
Yandex Punto Switcher versions up to 4.5.0.583 contain an unquoted search path vulnerability. This flaw allows local attackers to execute arbitrary code by placing a malicious executable earlier in the search order when the application calls WinExec without quoting the path for RunDll32.exe. The vulnerability affects the way the application invokes shell32.dll Control_RunDLL input.dll, enabling code execution in the context of the affected user.
CVSS v4.0
Score 8.5high
Affected software
pkg:github/yandex/punto-switcherRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-25865 is an unquoted search path vulnerability in Yandex Punto Switcher through version 4.5.0.583. The application calls WinExec to run RunDll32.exe without a fully qualified and quoted path, specifically when invoking shell32.dll Control_RunDLL input.dll. Because of this, a local attacker can place a malicious executable in a directory that appears earlier in the system's search path, causing the malicious code to be executed with the privileges of the user running Punto Switcher.
Potential Impact
Successful exploitation allows local attackers to execute arbitrary code with the privileges of the affected user. This can lead to unauthorized actions on the system, including potential privilege escalation if the user has elevated rights. The vulnerability does not require user interaction and has a high CVSS 4.0 score of 8.5, indicating significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should restrict local access to trusted users only and consider running the application with least privilege. Avoid placing untrusted directories early in the system PATH environment variable. Monitor for vendor updates regarding an official patch or workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-06T19:12:03.463Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a344c3bf198dc38c1709d68
Added to database: 6/18/2026, 7:51:23 PM
Last enriched: 6/18/2026, 8:06:21 PM
Last updated: 6/18/2026, 11:57:38 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.