CVE-2025-59684
📋 TL;DR
DigiSign DigiSigner ONE 1.0.4.60 is vulnerable to DLL hijacking, allowing attackers to execute arbitrary code by placing a malicious DLL in a location where the application searches for legitimate DLLs. This affects all users running the vulnerable version of DigiSigner ONE on Windows systems. Attackers can gain the same privileges as the user running the application.
💻 Affected Systems
- DigiSign DigiSigner ONE
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise if application runs with administrative privileges, allowing attackers to install malware, steal credentials, or pivot to other systems.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the user running DigiSigner ONE, potentially leading to data theft or further system compromise.
If Mitigated
Limited impact if application runs with minimal privileges and proper application whitelisting controls are in place.
🎯 Exploit Status
Exploitation requires local access to place malicious DLLs in specific directories. Public proof-of-concept code is available in the GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://digisign.ro/products-services/signing-applications/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If patch is available, download and install it. 3. Verify the installed version is newer than 1.0.4.60.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse Windows policies to restrict where applications can load DLLs from
Configure Windows DLL search order via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > DLL Rules
Run with minimal privileges
windowsEnsure DigiSigner ONE runs with standard user privileges, not administrative rights
🧯 If You Can't Patch
- Remove or restrict write permissions to directories where DigiSigner ONE searches for DLLs
- Implement application whitelisting to prevent execution of unauthorized DLLs
🔍 How to Verify
Check if Vulnerable:
Check if DigiSigner ONE version is 1.0.4.60. Monitor for unexpected DLL loads from insecure locations like current directory or temporary folders.Check Version:
Check DigiSigner ONE 'About' dialog or examine file properties of DigiSignerONE.exeVerify Fix Applied:
Verify installed version is newer than 1.0.4.60. Test by attempting to place a test DLL in application directories and confirming it's not loaded.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loads from unusual locations
- Process Monitor logs showing DigiSignerONE.exe loading DLLs from current directory or temp folders
Network Indicators:
- Unusual outbound connections from DigiSignerONE.exe process
SIEM Query:
Process creation where parent process is DigiSignerONE.exe AND command line contains suspicious DLL paths