CVE-2026-15515

Tencent · PC Manager

Tencent PC Manager is susceptible to an uncontrolled search path vulnerability, potentially allowing local attackers to execute arbitrary code with elevated privileges.

Executive summary

An uncontrolled search path vulnerability in Tencent PC Manager 18 could allow a local attacker to achieve privilege escalation through malicious library loading.

Vulnerability

This vulnerability involves an uncontrolled search path (CWE-427/CWE-426), where the application insecurely searches for dynamic link libraries. An authenticated local user (PR:L) can exploit this to load malicious code, provided they can influence the environment or search paths.

Business impact

With a CVSS score of 7.0, this vulnerability presents a significant risk for environments where local system security is paramount. Successful exploitation allows for privilege escalation, potentially granting an attacker full control over the local system, leading to complete compromise of the host machine and potential lateral movement within the network.

Remediation

Immediate Action: Monitor vendor communication channels for the release of a security patch and apply it as soon as it becomes available.

Proactive Monitoring: Audit local system logs for unexpected file executions or DLL loading patterns that originate from non-standard or user-writable directories.

Compensating Controls: Restrict local user permissions and ensure that system folders and application directories have strict Access Control Lists (ACLs) to prevent unauthorized file placement.

Exploitation status

Public Exploit Available: Yes — a GitHub repository exists (subsubsub1231/qmukiller).

Analyst recommendation

Due to the availability of a public proof-of-concept and the high impact of privilege escalation, administrators should restrict local access to the affected systems. Ensure that the Tencent PC Manager software is updated to the latest available version as soon as the vendor issues a fix to resolve the search path vulnerability.