CVE-2026-5397

High

Published: 15 April 2026

Published

15 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0001 1.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5397 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Omron (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Side-Loading (T1574.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings for file system permissions to prevent unauthorized writes to the UPS management application installation directory.

AC-6 Least Privilege good match

prevent

Enforces the principle of least privilege to restrict low-privileged local attackers from placing malicious DLLs in the installation directory.

SI-7 Software, Firmware, and Information Integrity good match

detect

Monitors software integrity in the installation directory to detect unauthorized modifications such as placement of malicious DLLs prior to service startup.

MITRE ATT&CK Enterprise TechniquesAI

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

Why these techniques?

The vulnerability allows a low-privileged attacker to place a malicious DLL in the application's installation directory (due to weak permissions) which is then loaded during service startup, directly enabling DLL side-loading for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. If…

a malicious DLL is placed in the installation directory of this product, there is a possibility that the malicious DLL may be executed by exploiting the product’s behavior of loading missing DLLs from the same directory as the executable during service startup.

Deeper analysisAI

CVE-2026-5397 is a CWE-427 vulnerability in the UPS (Uninterruptible Power Supply) management application. The issue stems from improper permissions on the installation directory, which allow a malicious actor to place a DLL file. This DLL is then executed with administrator privileges due to the application's behavior of loading missing DLLs from the same directory as the executable during service startup.

A local attacker with low privileges (PR:L) can exploit this vulnerability by placing a malicious DLL in the installation directory, though it requires high attack complexity (AC:H). Successful exploitation enables execution of the DLL with administrator privileges, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) and a changed scope (S:C), as reflected in the CVSS v3.1 base score of 7.8.

Omron has issued security advisories OMSR-2026-001 addressing this vulnerability, available in English at https://www.omron.com/global/en/inquiry/data/OMSR-2026-001_en.pdf and Japanese at https://www.omron.com/jp/ja/inquiry/data/OMSR-2026-001_ja.pdf. Security practitioners should review these documents for detailed mitigation and patching guidance.