Published:2026/07/08  Last Updated:2026/07/08

JVN#62347140
Multiple vulnerabilities in the installer for Pupsman

Overview

The installer for Pupsman provided by Fuji Electric Co.,Ltd. contains multiple vulnerabilities.

Products Affected

  • Pupsman versions prior to 3.9.0

Description

The installer for Pupsman provided by Fuji Electric Co.,Ltd. contains multiple vulnerabilities listed below:

  • Uncontrolled search path element (CWE-427)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2026-56437
    • The CVSS vectors above assume that a victim user is directed to place a specially crafted DLL file in the same folder as the affected installer and to execute the installer.
  • Incorrect default permissions (CWE-276)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
    • CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2026-57895

Impact

  • If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary code may be executed with SYSTEM privilege (CVE-2026-56437).
  • An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege (CVE-2026-57895).

Solution

Update the Software
Use Pupsman version 3.9.0 or later, based on the information provided by the developer.

Vendor Status

Vendor Link
FUJI ELECTRIC CO., LTD. Pupsman (Text in Japanese)

References

  1. Japan Vulnerability Notes JVNTA#91240916
    Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2026-56437
CVE-2026-57895
JVN iPedia JVNDB-2026-000095