{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21408", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-19T06:37:18.443Z", "datePublished": "2026-01-27T05:08:20.229Z", "dateUpdated": "2026-01-27T20:50:14.682Z"}, "containers": {"cna": {"affected": [{"vendor": "FUJIFILM Business Innovation Corp.", "product": "beat-access for Windows", "versions": [{"version": "version 3.0.3 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges."}], "problemTypes": [{"descriptions": [{"description": "Uncontrolled Search Path Element", "lang": "en-US", "cweId": "CWE-427", "type": "CWE"}]}], "references": [{"url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html"}, {"url": "https://jvn.jp/en/jp/JVN03776126/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-27T05:08:20.229Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:50:01.275607Z", "id": "CVE-2026-21408", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:50:14.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T20:50:01.275607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:50:11.355Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "FUJIFILM Business Innovation Corp.", "product": "beat-access for Windows", "versions": [{"status": "affected", "version": "version 3.0.3 and prior"}]}], "references": [{"url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html"}, {"url": "https://jvn.jp/en/jp/JVN03776126/"}], "descriptions": [{"lang": "en", "value": "beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-427", "description": "Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-27T05:08:20.229Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21408", "state": "PUBLISHED", "dateUpdated": "2026-01-27T20:50:14.682Z", "dateReserved": "2026-01-19T06:37:18.443Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-01-27T05:08:20.229Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges."}, {"lang": "es", "value": "beat-access para Windows versi\u00f3n 3.0.3 y anteriores contiene un problema con la ruta de b\u00fasqueda de DLL, lo que puede llevar a la carga insegura de librer\u00edas de Enlace Din\u00e1mico. Como resultado, se puede ejecutar c\u00f3digo arbitrario con privilegios de SYSTEM."}], "id": "CVE-2026-21408", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-01-27T06:15:59.583", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN03776126/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:29:55.160753+00:00", "value": {"mitigation_remediation": ["Upgrade beat\u2011access for Windows to a version newer than 3.0.3 that eliminates the insecure DLL search path.", "If an upgrade is not immediately possible, disable the use of the current DLL search path by configuring Windows to require explicitly defined DLL locations or by setting the DLL search order to use only the application directory.", "Apply application control such as AppLocker or Windows Defender Credential Guard to block unauthorized DLL execution within the beat\u2011access runtime environment."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "FUJIFILM Business Innovation Corp.'s beat\u2011access for Windows for all versions 3.0.3 and earlier are affected. No specific sub\u2011versions are listed beyond that threshold.", "description_and_impact": "The vulnerability arises from an insecure DLL search path in beat\u2011access for Windows version 3.0.3 and earlier, allowing an attacker to influence the dynamic link library that the application loads. If an attacker can place a malicious DLL in a directory that the application searches, the DLL will be loaded and executed with SYSTEM privileges, resulting in arbitrary code execution on the host system. This flaw is identified as CWE\u2011427.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a very low current exploitation probability. Because the flaw permits execution with SYSTEM rights, the impact is significant if an adversary can supply a crafted DLL. No official KEV listing currently exists, so the vulnerability has not yet been identified as a known exploited issue in the CISA catalog. The likely attack vector requires an attacker to supply a DLL that the application will load, which could be achieved via social engineering, supply chain compromise or local code execution."}}}}, "created": "2026-01-27T09:03:03.840488+00:00", "title": "DLL Search Path Vulnerability Allowing Arbitrary Code Execution with SYSTEM Privileges", "updated": "2026-04-18T02:30:15.872319+00:00", "vendors": ["fujifilm", "fujifilm$PRODUCT$beat-access_for_windows"]}