{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10549", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2025-09-16T11:59:48.866Z", "datePublished": "2026-04-23T06:57:27.220Z", "dateUpdated": "2026-04-29T19:32:11.851Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-04-23T06:57:27.220Z"}, "title": "DLL Hijacking in EfficientLab Controlio Leads to Local Privilege Escalation", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471 Search Order Hijacking"}]}], "affected": [{"vendor": "EfficientLab, LLC", "product": "Controlio", "versions": [{"status": "affected", "version": "<1.3.95"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.<br>"}]}], "references": [{"url": "https://r.sec-consult.com/controlio", "tags": ["third-party-advisory"]}, {"url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95", "tags": ["release-notes"]}], "solutions": [{"lang": "en", "value": "The vendor provides a patch v1.3.95 which should be installed immediately.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vendor provides a patch v1.3.95 which should be installed immediately.<br>"}]}], "credits": [{"lang": "en", "value": "Tobias Niemann, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Thorger Jansen, SEC Consult Vulnerability Lab", "type": "finder"}, {"lang": "en", "value": "Marius Renner, SEC Consult Vulnerability Lab", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:03:09.422669Z", "id": "CVE-2025-10549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:03:43.631Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Apr/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-29T19:32:11.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Apr/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-29T19:32:11.851Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:03:09.422669Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:03:39.293Z"}}], "cna": {"title": "DLL Hijacking in EfficientLab Controlio Leads to Local Privilege Escalation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Tobias Niemann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Thorger Jansen, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Marius Renner, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471 Search Order Hijacking"}]}], "affected": [{"vendor": "EfficientLab, LLC", "product": "Controlio", "versions": [{"status": "affected", "version": "<1.3.95"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vendor provides a patch v1.3.95 which should be installed immediately.", "supportingMedia": [{"type": "text/html", "value": "The vendor provides a patch v1.3.95 which should be installed immediately.<br>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/controlio", "tags": ["third-party-advisory"]}, {"url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.", "supportingMedia": [{"type": "text/html", "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-04-23T06:57:27.220Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10549", "state": "PUBLISHED", "dateUpdated": "2026-04-29T19:32:11.851Z", "dateReserved": "2025-09-16T11:59:48.866Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2026-04-23T06:57:27.220Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\\SYSTEM."}], "id": "CVE-2025-10549", "lastModified": "2026-04-29T20:16:28.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T07:16:39.720", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/controlio"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2026/Apr/19"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.95)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Controlio", "source": "cna", "vendor": "EfficientLab, LLC"}, "product": "controlio", "vendor": "efficientlab"}], "analysis": {"en": {"generated_at": "2026-04-28T14:57:58.486281+00:00", "value": {"mitigation_remediation": ["Install the vendor\u2011provided patch v1.3.95 as soon as possible.", "Update the folder permissions on the Controlio installation directory to deny write access to non\u2011admin accounts.", "Ensure the Controlio service runs with the least privilege necessary; if possible remove SYSTEM rights."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation via arbitrary code execution"}, "threat_synthesis": {"affected_systems": "EfficientLab, LLC Controlio software installations running on Windows where the installation folder has insecure permissions. Versions before v1.3.95 are affected; the vendor recommends applying patch v1.3.95.", "description_and_impact": "The flaw is a DLL hijacking weakness in EfficientLab Controlio versions prior to 1.3.95. Weak permissions on the installation directory allow a local user to drop a malicious DLL, which the privileged service loads, leading to execution of attacker code with the SYSTEM account. This gives full control of the machine.", "risk_and_exploitability": "The CVSS base score of 5.1 indicates a moderate severity risk, and the very low EPSS score of less than 1% suggests it is unlikely to be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must have local access to the machine and write permission to the installation directory to succeed."}}}}, "created": "2026-04-28T09:26:17.701204+00:00", "updated": "2026-04-28T15:00:14.537505+00:00", "vendors": ["efficientlab", "efficientlab$PRODUCT$controlio"]}