CVE-2026-36574: CactusViewer DLL Hijacking Vulnerability (CVSS 7.8 HIGH)
CactusViewer v2.3.0 contains a DLL hijacking vulnerability that allows an attacker to execute arbitrary code and escalate privileges on a system where the application is installed. The flaw occurs because the application loads dynamic libraries in an unsafe manner, enabling an attacker to place a malicious DLL in a location the application searches before legitimate system libraries. When CactusViewer runs, it loads the attacker's malicious code instead of the legitimate library, granting the attacker the same privilege level as the user running the application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-427
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36574 is a local privilege escalation vulnerability stemming from improper DLL loading practices (CWE-427: Uncontrolled Search Path Element). CactusViewer v2.3.0 searches for required dynamic libraries without properly validating the library path or restricting search scope, allowing arbitrary code execution. The vulnerability requires local access and user interaction—the application must be executed by a user on an affected system. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects the local attack surface, low complexity of exploitation, and complete impact to confidentiality, integrity, and availability.
Business impact
Organizations using CactusViewer v2.3.0 face elevated risk of unauthorized code execution within user contexts. An attacker with local filesystem access could silently inject malicious code, potentially leading to credential theft, lateral movement, data exfiltration, or system compromise. The user-interaction requirement—simply running the application—lowers the barrier for exploitation in social engineering scenarios or multi-stage attacks. Business continuity may be impacted if CactusViewer is integral to workflows; availability impact includes potential system instability or denial of service if the malicious code is designed accordingly.
Affected systems
CactusViewer v2.3.0 from Wassimulator (GitHub) is confirmed affected. Users of this specific version who run the application on Windows systems (DLL hijacking primarily affects Windows environments) are at risk. The vulnerability affects any system where v2.3.0 is installed and executed with user-level or higher privileges. Later versions and alternative applications should be evaluated for similar flaws.
Exploitability
Exploitation is practical and does not require elevated privileges, advanced network capabilities, or a pre-existing foothold—only local filesystem access and the ability to trigger application execution. An attacker can craft a malicious DLL and place it in a predictable search path (e.g., the application's working directory, a shared folder, or system paths where CactusViewer searches before secure locations). Subsequent application launch automatically loads the malicious code. Attack complexity is low, making this vulnerability attractive to both opportunistic and targeted attackers. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of DLL hijacking means functional exploits are likely achievable by competent threat actors.
Remediation
Immediately update CactusViewer to a patched version released after v2.3.0. Verify the updated version against the official Wassimulator GitHub repository to confirm the fix addresses DLL load-path validation. In the interim, restrict execution of CactusViewer to trusted environments and limit local filesystem access on systems where it runs. Audit directories in the DLL search path (particularly the application directory and %PATH%) for unauthorized or suspicious files. Remove the application entirely if it is not essential to operations.
Patch guidance
Check the Wassimulator GitHub repository for CactusViewer releases newer than v2.3.0 and review the changelog for security fixes related to DLL loading or library path validation. Apply the latest stable version to all affected systems. Verify patch application by confirming version numbers post-update and testing application functionality in a non-production environment first. If the vendor has not released a patch, consider alternative tools that provide similar functionality with more secure library loading mechanisms.
Detection guidance
Monitor for suspicious DLL files in directories where CactusViewer is installed or runs, particularly in the application's working directory and subdirectories. Track creation of DLLs with names matching common system libraries (e.g., kernel32.dll, ntdll.dll, msvcrt.dll) in non-standard locations. Enable file integrity monitoring on CactusViewer installation directories to detect unauthorized file additions. Log application execution events and correlate with unexpected process spawning or child processes that indicate code injection. Behavioral analysis tools may flag DLL hijacking attempts by detecting unusual library loading patterns or code execution from unexpected module sources.
Why prioritize this
HIGH CVSS score (7.8) combined with low-complexity local exploitation and user-interaction requirement warrants prompt attention. DLL hijacking is a well-established attack vector with mature tooling; organizations should treat this as a high-priority remediation item. The attack surface—any user on an affected system—is broad. While KEV status is currently negative, the vulnerability's straightforward nature and practical exploitability suggest rapid weaponization is possible. Patch as soon as a tested update is available, and in the interim, enforce application restrictions and monitor execution.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects a HIGH severity assessment based on the following factors: local attack vector reduces remote risk but affects all local users; low attack complexity indicates straightforward exploitation; no privilege requirements prior to exploitation; user interaction is required (application execution), but this is a common and easily triggered action; impact to confidentiality, integrity, and availability are all high—arbitrary code execution provides complete system compromise within the user's context. The main mitigating factor is the local scope and user-interaction requirement; however, these do not significantly lower the practical risk in environments where CactusViewer is frequently used or where attackers have filesystem access.
Frequently asked questions
Is there active exploitation of CVE-2026-36574 in the wild?
CVE-2026-36574 is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented evidence of active exploitation at the time of publication. However, DLL hijacking is a well-understood attack vector with mature tooling, so exploitation could emerge quickly. Organizations should not wait for evidence of active exploitation before patching; the vulnerability's straightforward nature makes it a likely target for future weaponization.
Do I need administrator privileges to be affected by this vulnerability?
No. The vulnerability can be exploited by any local user without elevated privileges. An attacker with local filesystem access—such as a shared user account, a remote desktop session, or physical access—can place a malicious DLL in a directory where CactusViewer searches and trigger its execution by a victim. The malicious code then runs with the privileges of the user executing CactusViewer.
Can this vulnerability be exploited remotely?
No, this is a local vulnerability only. It requires filesystem access to place the malicious DLL. However, in environments with shared drives, network file shares, or multi-user systems, an attacker could place the DLL remotely if they have write access to those paths. Organizations should carefully control network share permissions and audit who can write to directories in common search paths.
What should I do if I cannot immediately update CactusViewer?
Implement compensating controls: restrict CactusViewer execution to only necessary users and systems, run it from a read-only directory or container if possible, enforce strict file integrity monitoring on the installation directory, and closely monitor process execution and DLL loading behavior. However, these mitigations are not substitutes for patching; schedule an update as soon as a tested patch is available.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. SEC.co does not verify the accuracy of vendor advisories, patch availability, or the completeness of affected product lists beyond the source data provided. Organizations should independently validate patch applicability and test in non-production environments before deployment. No exploit code or weaponized proof-of-concept is included. Risk scores and severity ratings are based on CVSS 3.1 scoring and do not reflect organization-specific threat models or asset criticality. Consult vendor documentation and security advisories for the most current and authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-44358HIGHEspressif DangerJS Action Code Execution in Pull Request Workflows
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1