CVE-2026-2998

HighLPE

Published: 23 February 2026

Published

23 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2998 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Org (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the DLL hijacking vulnerability by applying vendor patches or updates to fix the improper DLL loading path validation in the ERP software.

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings, such as safe DLL search order, to prevent the ERP program from loading DLLs from the current directory.

CM-14 Signed Components good match

prevent

Requires and enforces digital signature or hash validation prior to loading DLL components, blocking execution of crafted malicious DLLs placed by attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence

Windows systems use a common method to look for required DLLs to load into a program.

attack.mitre.org →

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

Why these techniques?

CVE directly describes DLL hijacking via untrusted search path (placing malicious DLL beside executable for load at runtime), matching T1038 (DLL Search Order Hijacking) and T1574.002 (DLL Side-Loading).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ERP developed by eAI Technologies has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a crafted DLL file in the same directory as the program, thereby executing arbitrary code.

Deeper analysisAI

CVE-2026-2998 is a DLL Hijacking vulnerability (CWE-426) in ERP software developed by eAI Technologies. Published on 2026-02-23, it allows authenticated local attackers to place a crafted DLL file in the same directory as the program executable, resulting in the execution of arbitrary code when the software runs. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact with low complexity and privileges.

Local attackers with authenticated access to the system can exploit this flaw by dropping a malicious DLL alongside the ERP executable. No user interaction is required, and the attack leverages the program's failure to properly validate DLL loading paths. Successful exploitation grants arbitrary code execution under the context of the ERP process, enabling high confidentiality, integrity, and availability impacts such as data theft, modification, or system disruption.

Advisories from TWCERT provide further details on the vulnerability, available at https://www.twcert.org.tw/en/cp-139-10723-14549-2.html and https://www.twcert.org.tw/tw/cp-132-10722-db7cb-1.html.