CVE-2026-36574 Overview
CVE-2026-36574 is a DLL hijacking vulnerability in Wassimulator CactusViewer v2.3.0, an open-source image viewer distributed via GitHub. The flaw allows attackers to place a crafted Dynamic Link Library (DLL) in a location searched by the application before legitimate system directories. When CactusViewer loads, it executes the attacker-controlled DLL with the privileges of the invoking user. Successful exploitation enables arbitrary code execution and privilege escalation on the target host.
Critical Impact
An attacker who can write a malicious DLL to a directory searched by CactusViewer v2.3.0 can achieve arbitrary code execution and escalate privileges on the affected Windows system.
Affected Products
- Wassimulator CactusViewer v2.3.0
- CactusViewer.exe binary distributed via GitHub releases
- Windows hosts running the vulnerable executable
Discovery Timeline
- 2026-06-03 - CVE-2026-36574 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36574
Vulnerability Analysis
The vulnerability is a classic Windows DLL search-order hijacking issue. CactusViewer v2.3.0 loads one or more DLL dependencies without specifying a fully qualified path or applying secure search-order controls. Windows resolves the missing DLL by scanning a sequence of directories, including the application's working directory. An attacker who controls any directory earlier in that search order can plant a malicious DLL that the loader will execute inside the CactusViewer process.
Once the rogue DLL loads, its DllMain entry point runs with the same privileges as CactusViewer. If a higher-privileged user or service launches the binary, the attacker inherits those privileges, enabling lateral movement, persistence, and credential theft.
Root Cause
The root cause is insecure library loading behavior in CactusViewer.exe. The application does not call SetDefaultDllDirectories, use LOAD_LIBRARY_SEARCH_SYSTEM32, or specify absolute paths when resolving dependent libraries. This omission causes the Windows loader to fall back to the standard search order, which includes attacker-writable locations such as the directory containing the executable or the current working directory.
Attack Vector
Exploitation requires the attacker to write a malicious DLL with a name CactusViewer attempts to load into a directory the application searches. Common delivery techniques include bundling the rogue DLL alongside a distributed image archive, dropping it via a separate malware stager, or placing it in a shared folder where users execute the viewer. When a user launches CactusViewer v2.3.0 from that location, Windows resolves the import to the malicious DLL and executes its code.
No verified proof-of-concept code is published. Technical discussion is available in GitHub CactusViewer Issue #65 and the project source at the GitHub CactusViewer Repository.
Detection Methods for CVE-2026-36574
Indicators of Compromise
- Unexpected DLL files located in the same directory as CactusViewer.exe or in user-writable directories where the binary is launched.
- CactusViewer.exe loading modules from non-standard paths such as %USERPROFILE%\Downloads or removable media.
- Child processes spawned by CactusViewer.exe that perform reconnaissance, network connections, or credential access.
Detection Strategies
- Monitor Windows Sysmon Event ID 7 (ImageLoad) for CactusViewer.exe loading DLLs from outside C:\Windows\System32 or the official install directory.
- Hunt for newly written DLLs that share names with known CactusViewer dependencies in user-writable folders.
- Alert on CactusViewer.exe parent processes spawning cmd.exe, powershell.exe, rundll32.exe, or other living-off-the-land binaries.
Monitoring Recommendations
- Enable PowerShell and command-line auditing on hosts where CactusViewer is permitted to run.
- Forward Sysmon and Windows Security logs to a centralized analytics platform to correlate suspicious image loads with subsequent process activity.
- Track file-creation events for DLLs dropped into the same directories from which users execute portable applications.
How to Mitigate CVE-2026-36574
Immediate Actions Required
- Remove or restrict execution of CactusViewer.exe v2.3.0 until a patched build is available.
- Run the application only from a trusted, write-protected directory that contains no untrusted files.
- Inventory endpoints to identify where CactusViewer is installed or has been executed from user-writable locations.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Track upstream remediation through the GitHub CactusViewer Repository and the related discussion in GitHub CactusViewer Issue #65. The vulnerable binary is published at CactusViewer v2.3.0 Executable and should not be executed from untrusted directories.
Workarounds
- Move CactusViewer.exe to a directory writable only by administrators, such as C:\Program Files\CactusViewer, before launching it.
- Block execution of CactusViewer.exe from user-writable paths using AppLocker or Windows Defender Application Control policies.
- Apply the CWDIllegalInDllSearch registry policy to restrict DLL loading from the current working directory across affected hosts.
# Example AppLocker-style path rule to deny CactusViewer execution from user-writable locations
New-AppLockerPolicy -RuleType Path -User Everyone -Action Deny `
-Path "%OSDRIVE%\Users\*\Downloads\CactusViewer.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
