A critical DLL hijacking vulnerability exists in NREL BEopt version 2.8.0.0. An attacker can exploit this by tricking a user into opening a legitimate application file from a malicious remote network share, which could lead to arbitrary code execution and a complete compromise of the user's system. This vulnerability poses a severe risk to data confidentiality, integrity, and system availability.

The NREL BEopt application loads certain Dynamic Link Libraries (DLLs), specifically sdl2.dll and libegl.dll, using an insecure method that does not specify a full, trusted path. An attacker can exploit this by creating a malicious WebDAV or SMB network share and placing a legitimate BEopt project file alongside a malicious version of one of these DLLs. When a user opens the project file from this remote location, the application searches for the required DLLs in the same directory first, inadvertently loading and executing the attacker's malicious library. This results in arbitrary code execution on the victim's machine with the same privileges as the logged-in user.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for severe business impact. Successful exploitation could lead to a full system compromise, allowing an attacker to install malware such as ransomware or spyware, steal sensitive data and intellectual property related to building energy modeling, or use the compromised workstation as a foothold to move laterally within the corporate network. The direct risks include data breaches, financial loss from ransomware, and reputational damage.

Immediate Action: Update NREL BEopt Multiple Products to the latest version provided by the vendor to patch the insecure library loading behavior. After patching, monitor for any signs of post-exploitation activity and review system and network access logs for unusual patterns originating from systems running the BEopt software.

Proactive Monitoring: Implement monitoring rules to detect suspicious behavior associated with this vulnerability. Monitor for the BEopt.exe process loading DLLs (sdl2.dll, libegl.dll) from non-standard locations, such as network shares or user profile directories. Scrutinize network logs for unusual outbound SMB (port 445) or WebDAV connections to external IP addresses initiated by end-user workstations.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Block outbound SMB and WebDAV traffic at the network perimeter firewall for all workstations that do not explicitly require it for business operations.
• Implement application control policies (e.g., AppLocker) to restrict which DLLs can be loaded by the BEopt application.
• Educate users on the dangers of opening files from untrusted or unfamiliar network locations and email links.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability presents a significant risk to the organization. Although it is not currently listed on the CISA KEV catalog, the ease of exploitation combined with the high impact necessitates immediate action. We strongly recommend that all affected instances of NREL BEopt are identified and updated to the latest patched version as the highest priority to prevent potential system compromise and data exfiltration.