Local privilege escalation in ANSSI’s DFIR-ORC
Versions of DFIR-ORC prior to 10.2.7 (included).
INCIBE has coordinated the publication of a high-severity vulnerability affecting ANSSI’s DFIR-ORC, an open-source, modular tool designed to collect and analyze forensic artefacts on Microsoft Windows systems. The vulnerability was discovered by Rémi Delabrosse and Nicolas Rodrigues from Oppida.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-11958: CVSS v4.0: 7.3 | CVSS AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | CWE-427
The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0.
Workaround for earlier versions:
- Do not execute from a too permissive directory (v10.8.0).
- Do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).
CVE-2026-11958: local privilege escalation by loading DLLs from a shared temporary directory. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-11958 | Media | No | ANSSI |
