CVE-2026-2516:

Security Advisory: High-Severity Vulnerability in Unidocs ezPDF Reader

Overview

A high-severity security vulnerability has been identified in specific versions of the Unidocs ezPDF DRM Reader and ezPDF Reader software. This flaw, tracked as CVE-2026-2516, is a “DLL Hijacking” or “Uncontrolled Search Path” vulnerability located within the SHFOLDER.dll library component. In simpler terms, the software does not securely look for necessary system files, allowing a malicious actor to potentially trick it into running harmful code from an untrusted location.

Vulnerability Details

The vulnerability exists in the 32-bit versions of ezPDF Reader 2.0 and ezPDF Reader 3.0.0.4. The core issue is within how the application searches for the SHFOLDER.dll file. Under certain conditions, it may look for this file in directories controlled by a user (like a download folder or a network share) before checking the secure, standard Windows system directories.

Key Points:

• Attack Vector: An attacker must place a malicious DLL file with the name SHFOLDER.dll in a location the application will search.
• Privilege Required: The attacker needs local access to the target system to plant the malicious file. This could be achieved through phishing, exploiting another vulnerability, or if the user opens a file from an attacker-controlled location (like a USB drive or network share).
• Complexity: Successful exploitation is considered difficult, as it requires specific local conditions.
• Public Knowledge: An exploit for this vulnerability is publicly available, increasing the risk of attempted attacks.

Potential Impact

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system with the privileges of the user running the ezPDF Reader. This could lead to:

• Installation of malware, ransomware, or spyware.
• Theft or corruption of sensitive data.
• Creation of a persistent backdoor for further network access.
• Full compromise of the local user account.

Remediation and Mitigation Steps

As the software vendor (Unidocs) has not provided an official patch or response, the following actions are critical:

1. Immediate Mitigation: The most effective action is to uninstall the affected versions (ezPDF Reader 2.0 and 3.0.0.4, 32-bit) from all systems. Replace it with an alternative, up-to-date PDF reader from a trusted vendor.

2. User Awareness: Educate users not to open PDF files from untrusted sources, especially if they are delivered via email or stored on removable media. The attack requires local file placement, so cautious behavior is a strong defense.

3. Principle of Least Privilege: Ensure users operate with standard user accounts, not administrative privileges. This can limit the potential damage of successful exploitation.

4. Monitor for Updates: Periodically check the Unidocs website or security advisories for any future patches or statements regarding this CVE. If a patch is released, apply it immediately.

5. System Monitoring: Maintain robust endpoint detection and antivirus solutions, which may help identify malicious DLL files or suspicious process behavior associated with this hijacking technique.

Summary: Due to the lack of vendor response and the public availability of an exploit, treating this vulnerability as a high-priority issue is warranted. Removal of the affected software is the recommended course of action.