📄 Description (English)
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally.
🤖 AI Executive Summary
CVE-2026-25190 is a high-severity local code execution vulnerability in Windows GDI caused by an untrusted search path (CWE-426). An unauthorized attacker with local access can execute arbitrary code by exploiting improper DLL loading mechanisms. This vulnerability affects multiple Windows 10 versions and requires immediate patching across Saudi organizations to prevent privilege escalation and system compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 07:03
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government entities (NCA, NCSC), banking sector (SAMA-regulated institutions, major banks), healthcare organizations (MOH facilities), energy sector (ARAMCO, utilities), and telecommunications (STC, Mobily). The local execution requirement means risk is highest for organizations with shared workstations, remote access infrastructure, or supply chain vulnerabilities. Government agencies and critical infrastructure operators face elevated risk due to legacy Windows 10 deployments (versions 1607, 1809) still in use.
🏢 Affected Saudi Sectors
Government (NCA, NCSC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated banks)
Healthcare (Ministry of Health facilities)
Energy and Utilities (ARAMCO, power generation)
Telecommunications (STC, Mobily, Zain)
Critical Infrastructure
Education (Universities, Research Institutions)
Defense and Military
🎯 MITRE ATT&CK Techniques
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
T1574.008 - Hijack Execution Flow: Path Interception by Search Order Hijacking
T1547.014 - Boot or Logon Autostart Execution: Active Setup
T1053.005 - Scheduled Task/Job: Scheduled Task
T1204.001 - User Execution: Malicious Link
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all Windows 10 systems across versions 1607, 1809, 21H2, and 22H2 (x86, x64, ARM64)
2. Prioritize patching for systems in critical infrastructure, government, and financial sectors
3. Apply Microsoft security updates immediately upon availability
PATCHING GUIDANCE:
1. Deploy Windows Update patches to all affected Windows 10 versions
2. For systems unable to patch immediately, implement compensating controls
3. Test patches in non-production environments before enterprise deployment
4. Establish rollback procedures for patch failures
COMPENSATING CONTROLS (if patching delayed):
1. Restrict local access through Group Policy and access controls
2. Disable unnecessary GDI services and features
3. Implement application whitelisting to prevent unauthorized DLL loading
4. Monitor and restrict write permissions to system directories and PATH locations
5. Use Windows Defender Application Guard for high-risk applications
DETECTION RULES:
1. Monitor for suspicious DLL loading from non-standard paths via Sysmon Event ID 7
2. Alert on unsigned or invalid signatures in GDI-related processes
3. Track modifications to system PATH environment variables
4. Monitor process creation with unusual parent-child relationships involving GDI components
5. Implement EDR rules for CWE-426 DLL search path exploitation patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع أنظمة Windows 10 عبر الإصدارات 1607 و1809 و21H2 و22H2 (x86 و x64 و ARM64)
2. إعطاء الأولوية لتصحيح الأنظمة في البنية التحتية الحرجة والحكومة والقطاع المالي
3. تطبيق تحديثات أمان Microsoft فور توفرها
إرشادات التصحيح:
1. نشر تحديثات Windows Update لجميع إصدارات Windows 10 المتأثرة
2. للأنظمة غير القادرة على التصحيح فورًا، تطبيق ضوابط تعويضية
3. اختبار التحديثات في بيئات غير الإنتاج قبل النشر على مستوى المؤسسة
4. إنشاء إجراءات التراجع عن فشل التحديثات
الضوابط التعويضية (إذا تأخر التصحيح):
1. تقييد الوصول المحلي من خلال Group Policy وضوابط الوصول
2. تعطيل خدمات وميزات GDI غير الضرورية
3. تطبيق قائمة بيضاء للتطبيقات لمنع تحميل DLL غير المصرح به
4. مراقبة وتقييد أذونات الكتابة في مجلدات النظام ومواقع PATH
5. استخدام Windows Defender Application Guard للتطبيقات عالية المخاطر
قواعد الكشف:
1. مراقبة تحميل DLL المريب من مسارات غير قياسية عبر Sysmon Event ID 7
2. تنبيهات على التوقيعات غير الموقعة أو غير الصحيحة في عمليات GDI
3. تتبع التعديلات على متغيرات بيئة PATH للنظام
4. مراقبة إنشاء العمليات بعلاقات أب-طفل غير عادية تتضمن مكونات GDI
5. تطبيق قواعد EDR لأنماط استغلال مسار البحث CWE-426
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and De-registration
ECC 2024 A.6.1.2 - Malware Protection
ECC 2024 A.12.2.1 - Change Management
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset Management
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.PT-1 - Security Awareness and Training
SAMA CSF DE.CM-1 - Detection Processes
SAMA CSF RS.MI-1 - Incident Response Planning
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Organization of Information Security
ISO 27001:2022 A.8.1 - Asset Management
ISO 27001:2022 A.8.2 - Data Classification
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 11.2 - Vulnerability Scanning
📦 Affected Products / CPE 25 entries
microsoft:windows_10_1607
microsoft:windows_10_1607
microsoft:windows_10_1809
microsoft:windows_10_1809
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_21h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_10_22h2
microsoft:windows_11_23h2
microsoft:windows_11_23h2
microsoft:windows_11_24h2
microsoft:windows_11_24h2
microsoft:windows_11_25h2
microsoft:windows_11_25h2
microsoft:windows_11_26h1
microsoft:windows_11_26h1
microsoft:windows_server_2012:-
microsoft:windows_server_2012:r2
microsoft:windows_server_2016
microsoft:windows_server_2019
microsoft:windows_server_2022
microsoft:windows_server_2022_23h2
microsoft:windows_server_2025