PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5720 Microsoft CVE debrief

CVE-2016-5720 describes a local untrusted search path weakness in Microsoft Skype. If a Trojan horse DLL named msi.dll, dpapi.dll, or cryptui.dll is placed in the current working directory, Skype may load it instead of a trusted library, allowing local code execution. NVD rates the issue High (CVSS 7.8) and classifies it as CWE-264.

Vendor
Microsoft
Product
CVE-2016-5720
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators and users running Microsoft Skype on systems where local users can write to directories used during launch should care most. This is especially important on shared endpoints, developer workstations, and any environment where unexpected files can be introduced into the process launch path.

Technical summary

The vulnerability is an untrusted search path/DLL hijacking condition in Microsoft Skype. The CVE description states that a local user can conduct DLL hijacking attacks via a Trojan horse msi.dll, dpapi.dll, or cryptui.dll located in the current working directory. The supplied NVD data maps the issue to CWE-264 and assigns CVSS v3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating meaningful impact once an attacker can place the malicious DLL in the search path used by Skype.

Defensive priority

High for environments that still run affected Skype builds or allow untrusted local write access near the application launch context. The risk is local rather than remote, but successful abuse can yield full confidentiality, integrity, and availability impact on the affected user context.

Recommended defensive actions

  • Verify whether any deployed Microsoft Skype versions are affected and whether Microsoft has published remediation guidance for your build.
  • Prevent untrusted users from writing to directories that Skype may search when it starts, especially the current working directory.
  • Review application launch practices so Skype is started from trusted, controlled locations rather than user-writable paths.
  • Use least privilege for local accounts and reduce opportunities for low-privilege users to place files in executable search paths.
  • Monitor for unexpected msi.dll, dpapi.dll, or cryptui.dll files in working directories associated with Skype launches.
  • Remove or isolate legacy Skype installations that are no longer required, and prefer supported versions with current vendor updates.

Evidence notes

Source corpus supports a local untrusted search path/DLL hijacking issue in Microsoft Skype involving msi.dll, dpapi.dll, or cryptui.dll in the current working directory. The provided CVE description explicitly states local code execution and DLL hijacking by a local user. NVD metadata lists CWE-264 and CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Timeline context: CVE published 2017-01-23 and later modified by NVD on 2026-05-13; do not interpret the modified date as the issue date. References supplied in the corpus point to a 2016-09 third-party mailing-list advisory and SecurityFocus entry.

Official resources

CVE published by 2017-01-23; NVD record later modified on 2026-05-13. The supplied references include a September 2016 third-party advisory and SecurityFocus entry. No exploit code or reproduction steps are included here.