A DLL Hijacking Vulnerability in Rufus
Overview
Rufus is a widely used utility for formatting and creating bootable USB flash drives. A critical vulnerability, identified as CVE-2025-26624, has been discovered in Rufus versions 4.6.2208 and earlier. This vulnerability allows an attacker to perform a DLL hijacking attack, enabling them to load and execute a malicious DLL with escalated privileges. The issue arises because Rufus, at the time of launch, runs with higher privileges, and it attempts to load the cfgmgr32.dll library from the same directory as the executable. If an attacker can place a malicious cfgmgr32.dll in this directory, it will be loaded automatically, leading to potential privilege escalation and arbitrary code execution.
The vulnerability has been addressed in commit 74dfa49, which will be included in Rufus version 4.7. Users are strongly advised to upgrade to version 4.7 as soon as it becomes available. There are no known workarounds for this vulnerability.
Technical Details
Vulnerability Type: DLL Hijacking
Affected Versions: Rufus 4.6.2208 and earlier
Fixed Version: Rufus 4.7 (commit 74dfa49)
CVE ID: CVE-2025-26624
Published Date: February 18, 2025
The vulnerability occurs due to the way Rufus handles dynamic linking of the cfgmgr32.dll library. When Rufus is launched, it searches for cfgmgr32.dll in the following order:
The directory from which the application is loaded.
The system directories.
The Windows directory.
If an attacker can place a malicious cfgmgr32.dll in the same directory as the Rufus executable, the malicious DLL will be loaded instead of the legitimate one. Since Rufus runs with elevated privileges, the malicious code will also execute with those privileges, potentially allowing the attacker to take full control of the system.
Sample Attack Scenario
Initial Access:
An attacker gains access to a target system, either through phishing, social engineering, or by exploiting another vulnerability. The attacker has limited privileges on the system.Placing the Malicious DLL:
The attacker identifies that Rufus is installed on the system and is running version 4.6.2208 or earlier. The attacker then places a maliciouscfgmgr32.dllin the same directory as the Rufus executable. This could be done by tricking the user into downloading the malicious DLL or by exploiting a separate file upload vulnerability.Triggering the Vulnerability:
The attacker waits for the user to launch Rufus. When Rufus is launched, it attempts to loadcfgmgr32.dllfrom the current directory. Instead of loading the legitimate DLL, it loads the malicious DLL provided by the attacker.Privilege Escalation and Code Execution:
The malicious DLL executes with the same elevated privileges as Rufus. The attacker's code can now perform actions such as installing malware, creating backdoors, or exfiltrating sensitive data.Persistence:
The attacker may use the elevated privileges to establish persistence on the system, ensuring they can maintain access even after the initial compromise.
Impact
Privilege Escalation: An attacker can execute code with elevated privileges, potentially gaining full control over the system.
Arbitrary Code Execution: The attacker can run any code of their choice, leading to further exploitation.
Data Exfiltration: Sensitive data on the system can be accessed and exfiltrated.
System Compromise: The attacker can install malware, create backdoors, or disrupt system operations.
Mitigation
Upgrade to Rufus 4.7:
The vulnerability has been fixed in commit74dfa49, which will be included in Rufus version 4.7. Users should upgrade to this version as soon as it becomes available.Restrict File Permissions:
Ensure that only trusted users have write permissions to directories containing Rufus and other sensitive executables.Monitor for Suspicious Activity:
Use endpoint detection and response (EDR) tools to monitor for suspicious DLL loading behavior or unauthorized changes to system files.User Awareness:
Educate users about the risks of downloading and executing files from untrusted sources.
Conclusion
CVE-2025-26624 is a serious vulnerability that highlights the risks associated with DLL hijacking in applications that run with elevated privileges. Users of Rufus should take immediate action to mitigate this vulnerability by upgrading to version 4.7 once it is released. In the meantime, organizations should implement strict file permission controls and monitor for signs of exploitation.