CVE-2025-64695 Overview
CVE-2025-64695 is an uncontrolled search path element vulnerability [CWE-427] in the Windows installer for LogStare Collector by Secuavail. The installer fails to specify absolute paths when loading dependent libraries, allowing it to load attacker-controlled binaries placed in the search path. When a user runs the installer from a directory containing a malicious DLL, the installer executes that code with the privileges of the invoking user. Successful exploitation results in arbitrary code execution on the local system.
Critical Impact
Attackers can achieve arbitrary code execution with the privileges of the user running the LogStare Collector installer, typically an administrator performing software deployment.
Affected Products
- Secuavail LogStare Collector (Windows installer)
- Microsoft Windows (host operating system)
- All installer versions prior to the vendor-supplied fix
Discovery Timeline
- 2025-11-21 - CVE-2025-64695 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64695
Vulnerability Analysis
The LogStare Collector Windows installer loads libraries using relative paths or by relying on the default Windows DLL search order. Windows searches the application directory, current working directory, and system directories in sequence when resolving an unqualified DLL name. An attacker who can write a DLL into any earlier search location can cause the installer to load attacker-controlled code instead of the legitimate library. This category of weakness is commonly referred to as DLL hijacking or binary planting.
Because installers run with the privileges of the invoking user, a standard user double-clicking the installer triggers code execution at that privilege level. When an administrator runs the installer, the planted DLL executes with administrative rights, providing a path to full system compromise.
Root Cause
The root cause is the installer's failure to use fully qualified paths or the SetDefaultDllDirectories and LoadLibraryEx APIs with safe search flags. The installer also does not validate the integrity or origin of dependent modules before loading them. This matches the conditions described in CWE-427: Uncontrolled Search Path Element.
Attack Vector
Exploitation requires local access and user interaction. An attacker stages a malicious DLL with a name matching one the installer attempts to load. The DLL is placed in the same directory as the installer, in the user's Downloads folder, or in a network share where the installer is executed. Common delivery scenarios include phishing emails containing a ZIP archive with both the legitimate installer and the malicious DLL, or compromised file servers used for software distribution.
The vulnerability manifests when Windows resolves an unqualified DLL reference during installer startup. See the JVN Security Advisory and the Logstare Vulnerability Report for vendor-supplied technical details.
Detection Methods for CVE-2025-64695
Indicators of Compromise
- Presence of unsigned or unexpected DLL files in the same directory as the LogStare Collector installer executable
- Process creation events showing the LogStare Collector installer loading DLLs from user-writable paths such as C:\Users\<user>\Downloads\
- Child processes spawned by the installer that are unrelated to legitimate setup operations, such as cmd.exe, powershell.exe, or rundll32.exe
- Network connections initiated by the installer process to non-vendor infrastructure during installation
Detection Strategies
- Monitor ImageLoad telemetry for the LogStare Collector installer and flag DLLs loaded from non-system, user-writable directories
- Alert on installer binaries executing from temporary directories, removable media, or network shares that also contain DLL files
- Use application control policies to baseline expected DLL load paths during software installation
Monitoring Recommendations
- Enable Sysmon Event ID 7 (Image Loaded) and review loads originating from user-writable paths
- Audit endpoints for executions of LogStare Collector setup binaries and correlate with file-write events in the same directory
- Track installer execution outside of approved software deployment workflows using EDR process telemetry
How to Mitigate CVE-2025-64695
Immediate Actions Required
- Download the LogStare Collector installer only from the official vendor site and verify file integrity before execution
- Run the installer from a clean, isolated directory that contains no other files, especially no DLLs
- Restrict installer execution to administrators using approved software deployment tooling rather than ad-hoc end-user runs
- Block execution of installers from Downloads, Temp, and removable media using AppLocker or Windows Defender Application Control
Patch Information
Secuavail has published advisory 2025-001 addressing this vulnerability. Refer to the Logstare Vulnerability Report for the fixed installer version and upgrade instructions. Replace any cached installer copies with the patched build before performing new deployments.
Workarounds
- Move the installer to a dedicated empty directory under a protected path before execution to remove planted DLLs from the search order
- Enforce SafeDllSearchMode and disable loading of DLLs from the current working directory via Group Policy
- Use software deployment platforms such as SCCM or Intune that execute installers from controlled, isolated directories
- Apply least-privilege practices so installation accounts cannot be leveraged for broader system compromise
# Enable SafeDllSearchMode via registry (PowerShell, run as administrator)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Session Manager' \
-Name 'SafeDllSearchMode' -Value 1 -Type DWord
# Verify the setting
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Session Manager' \
-Name 'SafeDllSearchMode'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

