CVE-2026-28760 · The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs.

01 · The Real Story

This is a booby-trapped toolbox that only works if someone carries it into the machine room and opens it

CVE-2026-28760 is an insecure DLL search-path issue in the installer for RATOC RAID Monitoring Manager for Windows, mapped to CWE-427. The affected range is versions prior to 2.00.009.260220; the fix is the vendor's updated installer at 2.00.009.260220. If a crafted DLL is placed in the installer's current working directory and the installer is then launched, Windows can load the attacker's DLL and execute code with the installer's elevated privileges.

The vendor's HIGH 7.8 score reflects the eventual impact correctly, but it overstates enterprise urgency. This is not a remotely reachable service flaw; it is an installer-time local execution problem that depends on user interaction, a writable/untrusted working directory, and someone actually running this niche hardware utility installer. In real fleets, those compounded prerequisites crush the exposed population.

"High impact on paper, but the exploit path is narrow, local, and installer-time only."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Stage a lookalike install folder

The attacker prepares a directory containing the legitimate RATOC installer plus a malicious DLL with the expected name. The practical weapon is just a stock Windows install flow using msiexec.exe and a hijacking DLL; no kernel exploit or memory corruption is required.

Conditions required:

Attacker can deliver files to the target or to an admin/operator who will perform the install
Target environment actually uses RATOC RAID Monitoring Manager for supported RATOC RAID hardware

Where this breaks in practice:

This is a niche hardware utility, not a mass-market enterprise app
Software distribution platforms normally pull installers from trusted repositories rather than ad hoc folders
Email gateways, web filtering, and user training frequently break the delivery stage

Detection/coverage: Traditional vuln scanners usually miss this because the bug lives in installer behavior, not a network service. Content inspection and malware scanning may still catch the malicious DLL payload.

STEP 02

Get the installer launched from an untrusted working directory

The exploit only fires if the victim runs the installer from the attacker-controlled directory. In many cases that means convincing an admin or power user to unzip and run the installer manually from Downloads, a network share, or removable media.

Conditions required:

A user launches the installer
The current working directory still contains the malicious DLL

Where this breaks in practice:

Requires user interaction and timing during installation or upgrade
Many enterprises package software centrally and do not let end users self-install storage utilities
Application control or SmartScreen may stop unknown payloads before execution

Detection/coverage: Process creation telemetry can show msiexec.exe or the vendor installer executing from user-writeable paths such as %USERPROFILE%\Downloads, temp folders, or SMB shares.

STEP 03

Windows resolves the wrong DLL

Because the installer searches the current directory for certain DLLs, the attacker-controlled DLL can win the search order and be loaded. This is classic DLL hijacking: the loader behavior is simple, reliable, and well understood once the directory control prerequisite is met.

Conditions required:

The vulnerable installer version is used
The malicious DLL name matches what the installer attempts to load

Where this breaks in practice:

Only the vulnerable installer path is affected; already-installed endpoints are not passively exploitable
The attacker still needs the right DLL target and compatible payload

Detection/coverage: Sysmon ImageLoad telemetry is useful here; watch for unsigned or unexpected DLLs loaded by the installer from the installer's own directory or other user-writeable locations.

STEP 04

Execute as administrator and pivot

If the installer is elevated, the malicious DLL inherits that token and can modify services, drivers, startup items, or security settings. The impact is real—full admin-level code execution on that endpoint—but the blast radius stays bounded to systems where the installer is actually run.

Conditions required:

Installer runs with administrator rights
Endpoint protections do not block the payload post-load

Where this breaks in practice:

This does not self-propagate
No evidence of in-the-wild exploitation or KEV listing was found
Modern EDR commonly flags follow-on persistence or credential theft activity

Detection/coverage: EDR should detect the post-exploitation steps better than the vulnerability itself: service creation, registry autoruns, scheduled tasks, suspicious child processes, or credential access.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation located; not listed in the CISA KEV catalog.
Proof-of-concept availability	No public GitHub or Metasploit PoC was found in web search. Inference: exploitation mechanics are straightforward DLL hijacking, but the hard part is delivery plus installer execution.
EPSS	User-supplied EPSS is 0.00006, which is effectively noise-floor probability and consistent with a narrow local installer bug; see FIRST EPSS.
KEV status	No KEV listing found in the current CISA catalog.
CVSS vector meaning	`CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` means local attack path + user interaction required + no prior account needed. Translation: serious endpoint impact, weak initial reach.
Affected versions	Affected: RATOC RAID Monitoring Manager for Windows prior to 2.00.009.260220 per JVN#08057419.
Fixed version	Fixed by the vendor's updated installer at 2.00.009.260220 per the vendor advisory and download page.
Exposure reality	Internet exposure is basically irrelevant here: this is an installer flaw in a Windows utility for specific RATOC RAID enclosures, not a listening service. External attack-surface tools like Shodan/Censys do not meaningfully measure this population.
Disclosure timeline	Disclosed 2026-03-26 in JVN; the vendor advisory was originally posted 2025-08-29 and updated 2026-03-18 at RATOC.
Researcher / coordinator	Reported by Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. and coordinated by JPCERT/CC per JVN.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.3/10)

The decisive factor is reachability: this bug only matters when someone runs a vulnerable installer from an attacker-controlled directory, which sharply limits both exposed population and exploit frequency. The impact is admin-level code execution on a box, but the path to get there is niche, local, and heavily dependent on installer workflow mistakes rather than a broadly reachable product flaw.

HIGH Attacker-position and exploit-chain friction assessment

MEDIUM Installed-base and field exposure estimate

Why this verdict

Downgrade for attacker position: the path is effectively *local installer execution*, not unauthenticated remote compromise. That alone strips most of the urgency out of a 7.8 label.
Downgrade for exposure population: this affects a niche RAID enclosure utility tied to specific RATOC hardware, not a common enterprise platform. Even inside Windows fleets, only a tiny subset will ever have this installer in play.
Downgrade for timing and workflow dependency: exploitation happens during install/upgrade time and requires the victim to run from an untrusted directory. Modern software deployment, trusted package repos, EDR, SmartScreen, and user friction all compound against attackers.

Why not higher?

There is no evidence of KEV listing, public exploitation, or a commodity exploit ecosystem. More importantly, this is not a service that sits there waiting to be hit; the vulnerable condition exists only when the installer is invoked from the wrong place.

Why not lower?

If the exploit chain lands, the attacker gets administrator-level code execution, which is not trivial impact. Enterprises that still allow manual installs from Downloads, ZIP extractions, or SMB shares can absolutely trip over this, especially on admin workstations or lab systems.

05 · Compensating Control

What to do — in priority order.

Force installs from trusted paths only — Restrict RATOC installer execution to your software distribution system or a signed internal repository, and block ad hoc execution from %Downloads%, temp paths, removable media, and writable SMB shares. For a LOW verdict there is no formal mitigation SLA; treat this as backlog hygiene and fold the control into normal Windows hardening.
Block unsigned DLL loads from user-writeable directories — Use WDAC/AppLocker/EDR policy to deny or alert on installers loading unsigned DLLs from the same directory or other user-writeable locations. This directly attacks the hijack primitive and is more useful than chasing the CVE with network scanners.
Watch for installer execution in bad places — Create detections for the vendor MSI or msiexec.exe starting from user profiles, temp directories, ZIP extraction folders, or network shares. This is the control most likely to catch real abuse before the payload pivots.
Package the fixed installer centrally — Publish only the vendor-fixed 2.00.009.260220 installer in your approved software catalog and retire older copies from shares and technician toolkits. For a LOW issue, do this as routine image/package maintenance rather than as an emergency campaign.

What doesn't work

Perimeter firewall rules do nothing here because the vulnerable component is a local Windows installer, not an exposed network service.
External attack-surface management will not help much; there is no meaningful internet-facing fingerprint for an installer-time DLL hijack.
MFA does not materially reduce risk once a user is convinced to run the local installer from a poisoned directory.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management platform. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\check-ratoc-cve-2026-28760.ps1; standard user rights are usually enough to read uninstall inventory, but admin helps if you also want to inspect install locations.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-ratoc-cve-2026-28760.ps1

# Detects whether RATOC RAID Monitoring Manager for Windows is present

# and whether the installed DisplayVersion indicates a vulnerable build.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-RatocInstall {
    $roots = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($root in $roots) {
        Get-ItemProperty $root | Where-Object {
            $_.DisplayName -match 'RATOC RAID' -or $_.DisplayName -match 'RAID Monitoring Manager'
        } | ForEach-Object {
            [PSCustomObject]@{
                DisplayName     = $_.DisplayName
                DisplayVersion  = $_.DisplayVersion
                Publisher       = $_.Publisher
                InstallLocation = $_.InstallLocation
                UninstallString = $_.UninstallString
                PSPath          = $_.PSPath
            }
        }
    }
}

function Normalize-Version([string]$v) {
    if ([string]::IsNullOrWhiteSpace($v)) { return $null }
    $digits = ($v -replace '[^0-9]', '')
    if ([string]::IsNullOrWhiteSpace($digits)) { return $null }
    return [Int64]$digits
}

$fixedVersionRaw = '2.00.009.260220'
$fixedVersionNum = Normalize-Version $fixedVersionRaw
$installs = @(Get-RatocInstall)

if ($installs.Count -eq 0) {
    Write-Output 'UNKNOWN - RATOC RAID Monitoring Manager not found in uninstall inventory on this host.'
    exit 2
}

# If multiple entries exist, evaluate the newest parsable version

$evaluated = @()
foreach ($app in $installs) {
    $num = Normalize-Version $app.DisplayVersion
    $evaluated += [PSCustomObject]@{
        DisplayName     = $app.DisplayName
        DisplayVersion  = $app.DisplayVersion
        VersionNum      = $num
        InstallLocation = $app.InstallLocation
    }
}

$parsable = $evaluated | Where-Object { $_.VersionNum -ne $null } | Sort-Object VersionNum -Descending

if ($parsable.Count -eq 0) {
    Write-Output 'UNKNOWN - RATOC app found, but DisplayVersion is missing or unparsable.'
    $evaluated | ForEach-Object { Write-Output ("Found: {0} | Version: {1}" -f $_.DisplayName, $_.DisplayVersion) }
    exit 2
}

$best = $parsable[0]

if ($best.VersionNum -lt $fixedVersionNum) {
    Write-Output ("VULNERABLE - {0} version {1} is older than fixed version {2}." -f $best.DisplayName, $best.DisplayVersion, $fixedVersionRaw)
    exit 1
}
elseif ($best.VersionNum -ge $fixedVersionNum) {
    Write-Output ("PATCHED - {0} version {1} meets or exceeds fixed version {2}." -f $best.DisplayName, $best.DisplayVersion, $fixedVersionRaw)
    exit 0
}
else {
    Write-Output 'UNKNOWN - Unable to determine patch state.'
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not spin up an emergency patch wave for this one. Find where this RATOC utility exists, retire any old installer copies from file shares and technician toolkits, and make sure only the fixed 2.00.009.260220 package is available through approved software channels. Because this is a LOW reassessment, there is no noisgate mitigation SLA and no noisgate remediation SLA—treat it as backlog hygiene, document the narrow exposure, and clean it up in your normal packaging/image maintenance cycle rather than interrupting higher-value patch work.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.