Cyber Resilience

CVE-2026-3091

MediumUpdated

Published: 24 February 2026

Published
24 February 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 4.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3091 is a medium-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Synology Presto Client. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-3091 is an uncontrolled search path element vulnerability (CWE-427) in Synology Presto Client versions before 2.1.3-0672. The issue arises during installation, where the software fails to properly validate DLL loading paths, allowing a malicious DLL placed in advance in the same directory as the installer to be executed instead of the legitimate one.

Local users with low privileges can exploit this vulnerability by placing a malicious DLL in the installer's directory prior to installation. Exploitation requires high attack complexity, local access, and user interaction, such as initiating the installer, per the CVSS v3.1 vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (base score 6.7). Successful attacks enable reading or writing arbitrary files, potentially leading to full system compromise through escalated privileges or persistence.

Synology's security advisory (Synology_SA_26_02), available at https://www.synology.com/en-global/security/advisory/Synology_SA_26_02, details mitigation steps and patches for this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in the same directory as the installer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CWE-427 uncontrolled search path directly enables DLL search order hijacking/side-loading (T1038/T1574.002) of a malicious DLL from the installer directory; successful exploitation by a low-privileged local user yields arbitrary code execution leading to privilege escalation (T1068) and potential persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-52945Same product class: NAS / storage appliance
CVE-2022-49042Same product class: NAS / storage appliance
CVE-2025-14713Same product class: NAS / storage appliance
CVE-2024-45538Same product class: NAS / storage appliance
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2022-49036Same product class: NAS / storage appliance
CVE-2025-12686Same product class: NAS / storage appliance
CVE-2024-10444Same product class: NAS / storage appliance
CVE-2025-13392Same product class: NAS / storage appliance
CVE-2025-30028Same product class: NAS / storage appliance

Affected Assets

synology
presto client
≤ 2.1.3-0672

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires all executable components (including DLLs) to be cryptographically signed, directly blocking the malicious unsigned DLL that the installer would otherwise load from the same directory.

prevent

Mandates integrity verification of software and libraries before execution, preventing the installer from running an attacker-placed DLL that fails the check.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the rogue DLL before or during the installation process.

References