Skip to main content
CVE Vulnerability Database

CVE-2026-5397: UPS Management DLL Hijacking Vulnerability

CVE-2026-5397 is a privilege escalation flaw in UPS management applications that allows attackers to execute malicious DLLs with admin rights. This article covers the technical details, impact, and mitigation strategies.

Updated:

CVE-2026-5397 Overview

CVE-2026-5397 is a DLL search order hijacking vulnerability [CWE-427] affecting an Omron Uninterruptible Power Supply (UPS) management application. The flaw stems from improper permissions on the product's installation directory. A local attacker with low privileges can place a malicious Dynamic Link Library (DLL) in that directory. When the UPS service starts, it loads the attacker-controlled DLL because the executable searches for missing DLLs in the same directory. The library executes with administrator privileges, granting full control over the affected host.

Critical Impact

A low-privileged local user can achieve SYSTEM-level code execution by writing a malicious DLL into the UPS application's installation directory, leading to full host compromise and a scope change beyond the vulnerable component.

Affected Products

  • Omron UPS Management Application (see vendor advisory OMSR-2026-001 for affected versions)
  • Windows hosts where the UPS management service is installed with default installation directory permissions
  • Industrial and enterprise environments relying on Omron UPS power management software

Discovery Timeline

  • 2026-04-15 - CVE-2026-5397 published to NVD
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-5397

Vulnerability Analysis

The vulnerability resides in how the UPS management service resolves DLL dependencies during startup. Windows applications follow a defined DLL search order when loading libraries that are not specified with a fully qualified path. When a required DLL is missing from system locations, the loader falls back to the directory containing the executable. The UPS service runs with administrator privileges, so any DLL loaded from that directory inherits the same privilege level. Because the installation directory grants write access to non-administrative users, a local attacker can drop a crafted DLL that satisfies one of the service's missing imports. On the next service start or system reboot, the planted DLL executes inside the privileged service process. The attack requires local access and successful placement of the payload, but no user interaction beyond the normal service lifecycle.

Root Cause

The root cause is twofold: insecure filesystem permissions on the installation directory and reliance on the default Windows DLL search order for libraries not present alongside the binary. Either flaw alone would be insufficient, but together they create a writable, privileged search path that satisfies the conditions for DLL hijacking.

Attack Vector

The attack vector is local. An authenticated low-privileged user writes a DLL named after a library that the UPS service attempts to load but cannot find in standard locations. When the service initializes, it loads the malicious DLL from the installation directory and executes its DllMain entry point under the SYSTEM or Administrator security context. The scope change reflected in the CVSS vector indicates that the impact extends beyond the vulnerable component to the entire operating system.

No public proof-of-concept code is available. Refer to the Omron Security Advisory for vendor-specific technical details.

Detection Methods for CVE-2026-5397

Indicators of Compromise

  • Unexpected DLL files appearing in the Omron UPS management application's installation directory, particularly files with recent creation timestamps that do not match the original installer manifest.
  • Service processes belonging to the UPS application loading DLLs from non-standard paths or DLLs not digitally signed by Omron.
  • Child processes spawned by the UPS service that perform reconnaissance, credential access, or persistence actions.

Detection Strategies

  • Baseline the contents of the UPS installation directory and alert on any new or modified DLL files written by non-administrative accounts.
  • Monitor Windows event logs and Sysmon Event ID 7 (Image Loaded) for DLLs loaded by the UPS service from the installation directory that lack a valid Omron Authenticode signature.
  • Correlate service start events with subsequent privileged process activity to identify anomalous post-startup behavior.

Monitoring Recommendations

  • Enable file integrity monitoring on the UPS installation directory and treat write events from non-admin SIDs as high-severity alerts.
  • Log and review the effective Access Control Lists (ACLs) on UPS application directories across managed endpoints to identify hosts that permit user-level writes.
  • Track service startup chains and DLL load events using EDR telemetry to detect hijack attempts in real time.

How to Mitigate CVE-2026-5397

Immediate Actions Required

  • Apply the vendor-supplied patch referenced in the Omron Security Advisory OMSR-2026-001 as soon as it is available for your version.
  • Restrict write permissions on the UPS application's installation directory so that only the Administrators group and SYSTEM account can modify its contents.
  • Audit the installation directory for unauthorized DLL files and remove any that are not part of the legitimate product distribution.

Patch Information

Omron has published security advisory OMSR-2026-001 documenting the issue. Administrators should consult the English advisory or the Japanese advisory for fixed version numbers and update procedures.

Workarounds

  • Remove write and modify permissions for Users and Authenticated Users on the UPS installation directory using icacls until a patch can be deployed.
  • Limit interactive and remote local logon rights on hosts running the UPS service to reduce the population of users able to stage a malicious DLL.
  • Configure application allowlisting (for example, Windows Defender Application Control or AppLocker) to permit only Omron-signed DLLs to load into the UPS service process.
bash
# Configuration example: remove non-admin write access on the UPS install directory
icacls "C:\Program Files\Omron\UPS" /remove:g "Users"
icacls "C:\Program Files\Omron\UPS" /remove:g "Authenticated Users"
icacls "C:\Program Files\Omron\UPS" /inheritance:r
icacls "C:\Program Files\Omron\UPS" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.