MEDIUM 6.5

CVE-2026-8993: Slovak eID D.Launcher 2 URL Handler Vulnerability (NTLM & SSRF)

The D.Launcher 2 component in the Slovak eID client ecosystem improperly handles custom URL protocols, allowing attackers to trigger NTLM authentication attempts or SMB connections to their servers, or conduct Server-Side Request Forgery (SSRF) attacks. The vulnerability requires a user to click a malicious link, making it a social engineering vector rather than an automated remote code execution. The exposure is primarily information disclosure through credential capture or network reconnaissance.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200, CWE-74
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8993 is an improper URL handler processing vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-74: Improper Neutralization of Special Elements in Output). D.Launcher 2 registers multiple custom URL scheme handlers without sufficient validation or restriction on the destinations they can reach. An attacker can craft a URL using these handlers to: (1) initiate NTLM authentication flows to attacker-controlled endpoints, potentially capturing Net-NTLMv2 hashes; (2) establish SMB connections for lateral movement reconnaissance; or (3) trigger SSRF conditions where the application makes requests to internal or restricted network resources on behalf of the user. Exploitation requires user interaction—the victim must actively open the crafted URL, typically delivered via email, instant messaging, or compromised web pages.

Business impact

This vulnerability creates both immediate and supply-chain risks for organizations using Slovak eID for authentication or digital signatures. Immediate exposure includes credential compromise if users are tricked into opening malicious URLs—NTLM hashes can be captured offline via tools like Hashcat, allowing attackers to crack weak passwords and gain network access. For organizations with integrated eID workflows, SSRF exploitation could expose internal APIs, identity services, or administrative interfaces not directly internet-facing. Reputational damage and regulatory scrutiny are concerns if eID systems are breached. The medium CVSS score reflects that while the attack requires user interaction, the information disclosure potential is high and affects a trusted identity component.

Affected systems

The D.Launcher 2 component of the Slovak eID client ecosystem is affected. The vulnerability applies to systems where D.Launcher 2 is installed and users have administrator or standard user privileges to click links. Organizations using Slovak eID for workforce authentication, citizen services, or certificate-based signing are in scope. No specific version boundaries were disclosed in available advisories; organizations should consult the eID operator or vendor for patch availability and deployment status.

Exploitability

Exploitability is moderate. While the technical barrier to craft a malicious URL is low—any attacker can construct a URL using registered protocol handlers—successful exploitation depends on social engineering to make a user click the link. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects network accessibility and low attack complexity, but the required user interaction (UI:R) reduces the automated attack surface. Phishing campaigns, compromised forums, or malvertising are likely delivery mechanisms. No evidence of active exploitation in the wild has been reported, but the vulnerability is straightforward enough for attackers to weaponize once disclosed.

Remediation

Apply security updates to D.Launcher 2 when made available by the Slovak eID operator or vendor. Verify patch status through official advisories rather than third-party sources. Interim mitigations include: (1) educate users not to click suspicious links claiming to be from trusted services, especially those with unfamiliar or obfuscated URLs; (2) where possible, restrict custom protocol handler registration via Group Policy (on Windows) or configuration management; (3) monitor network logs for unexpected NTLM authentication attempts or SMB connections originating from user endpoints. Organizations heavily dependent on eID should establish a patching priority and test updates in a non-production environment first.

Patch guidance

Patch availability and timelines should be confirmed directly with the Slovak eID operator or the entity responsible for D.Launcher 2 distribution. No specific patch version numbers have been disclosed publicly. Organizations should subscribe to official security notifications from the eID provider and test patches promptly in a controlled environment to ensure compatibility with existing authentication workflows. Given the medium severity and user-interaction requirement, patches can typically be scheduled within a 60-90 day window unless SSRF exploitation is confirmed in your environment.

Detection guidance

Monitor for: (1) Unusual NTLM authentication attempts from user desktops to non-standard hosts or internal servers, especially from internet-facing or external IP ranges; (2) SMB connection attempts (port 445) initiated by user processes, particularly from web browsers or email clients; (3) HTTP requests from D.Launcher 2 or related eID processes to unexpected internal or private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16); (4) Process execution logs showing D.Launcher 2 spawning network tools or making outbound connections without corresponding user actions. Endpoint detection and response (EDR) tools can flag suspicious URL handler invocations. DNS and proxy logs may reveal reconnaissance attempts if an attacker tests protocol handler registration.

Why prioritize this

Despite a medium CVSS score, this vulnerability merits prompt attention because: (1) it affects identity infrastructure used for authentication and digital signatures—compromise undermines trust in the eID ecosystem; (2) NTLM capture is a persistent and well-understood attack that leads to password cracking and lateral movement; (3) SSRF exploitation could expose internal services not directly accessible to attackers; (4) the social engineering vector means awareness training and user education are critical controls; (5) organizations may not have inventory visibility into all D.Launcher 2 deployments. Prioritize according to your eID adoption rate and the sensitivity of services relying on eID for access control.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects high confidentiality impact (information disclosure via credential capture or internal network reconnaissance) with no integrity or availability impact, network accessibility, low complexity, no privilege requirement, and required user interaction. The score is appropriate because the vulnerability is exploitable via the network without special privileges, but depends on a user action. The information disclosure severity elevates it above lower scores; the user-interaction requirement prevents a higher score. Contextually, organizations relying on eID for mission-critical authentication should consider their operational risk higher than the base CVSS suggests.

Frequently asked questions

Can this vulnerability lead to ransomware or remote code execution?

No. CVE-2026-8993 enables credential capture (NTLM hashes) or SSRF-based network reconnaissance, not direct code execution. However, stolen credentials can be used to gain initial access for further attacks. The vulnerability is a stepping stone, not a direct exploitation path to system compromise.

What is NTLM and why is capturing it dangerous?

NTLM (NT LAN Manager) is a Windows authentication protocol. When D.Launcher 2 initiates an NTLM handshake with an attacker server, the attacker captures a cryptographic hash of the user's password. This hash can be cracked offline using tools like Hashcat if the password is weak or found in common wordlists. Once cracked, the attacker gains the user's actual password and can log in to networks or systems authenticating against that credential.

Is this vulnerability currently being exploited?

CVE-2026-8993 is not on the CISA Known Exploited Vulnerabilities (KEV) list and no publicly disclosed exploits have been reported. However, the vulnerability is straightforward to weaponize, and targeted phishing campaigns could exploit it before patches are widely deployed. Assume it will be exploited once public details are available.

What should I do if I use Slovak eID in my organization?

First, verify which versions of D.Launcher 2 you have deployed. Check with your eID provider or system administrator for patch status. Implement user training on not clicking suspicious links, even if they appear to come from trusted sources. Monitor network logs for unusual NTLM and SMB activity. Set a patching deadline within 60–90 days unless active exploitation is detected in your environment, in which case accelerate to 30 days.

This analysis is based on the CVE record and publicly available information as of the publication date. Patch timelines, affected product versions, and detailed vendor advisories should be verified directly with the Slovak eID operator or vendor responsible for D.Launcher 2. No exploit code or proof-of-concept details are provided. Organizations should conduct their own risk assessment based on their deployment, user populations, and reliance on eID infrastructure. SEC.co makes no guarantee of exploit availability, real-world impact, or patch release dates. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).