CVE-2025-15595
Published: 03 March 2026
Summary
CVE-2025-15595 is a high-severity Weak Authentication (CWE-1390) vulnerability in Jrsoftware Inno Setup. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identifying, prioritizing, and applying patches or upgrades to remediate the DLL hijacking flaw in vulnerable Inno Setup versions 6.2.1 and earlier.
Enforces deny-all, permit-by-exception policies to block execution of unapproved or vulnerable Inno Setup installers, preventing DLL hijacking exploitation.
Prohibits or strictly governs user-installed software, directly mitigating risks from running untrusted Inno Setup installers that enable local privilege escalation via DLL hijacking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes DLL hijacking (T1574.002) enabling local privilege escalation (T1068) via malicious installer execution.
NVD Description
Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
Deeper analysisAI
CVE-2025-15595 is a privilege escalation vulnerability caused by DLL hijacking in Inno Setup versions 6.2.1 and earlier. This affects the Inno Setup installer software, which is widely used for creating Windows installers. The vulnerability is associated with CWE-1390 (Weak Buffering or Length Destination) and has a CVSS v3.1 base score of 7.8, reflecting high impact due to local attack vector, low attack complexity, no required privileges, user interaction, and high consequences for confidentiality, integrity, and availability.
A local attacker can exploit this vulnerability by tricking a user into running a malicious installer or interacting with a controlled environment where a hijacked DLL is loaded. No special privileges are needed (PR:N), but the attacker requires local access (AV:L) and user interaction (UI:R), such as executing the affected Inno Setup binary. Successful exploitation allows elevation to higher privileges, potentially granting full control over the system with high impacts on confidentiality, integrity, and availability.
Mitigation details are provided in the Inno Setup 6.2 release notes at https://jrsoftware.org/files/is6.2-whatsnew.htm, which likely address the DLL hijacking issue through updates in that version. Security practitioners should ensure systems use Inno Setup 6.2 or later and advise users to avoid running untrusted installers.
Details
- CWE(s)