CVE-2025-71178 | THREATINT

Description

Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges.

PUBLISHED Reserved 2026-01-22 | Published 2026-01-26 | Updated 2026-01-26 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-427 Uncontrolled Search Path Element

Product status

Default status

unaffected

Any version before 11.08.082025.00

affected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder

References

eu.crucial.com/support/storage-executive product patch

www.vulncheck.com/...-executive-installer-dll-preloading-lpe third-party-advisory

cve.org (CVE-2025-71178)

nvd.nist.gov (CVE-2025-71178)

Download JSON