Ivanti Blog: Posts by

DLL Hijacking: Risks, Real-World Examples and How to Prevent Attacks

Wed, 17 Dec 2025 14:00:02 Z

There’s been buzz around CVE-2025-56383 (published on Sept. 26, 2025), a hijacking vulnerability in Notepad++ v8.8.3 in which a DLL file can be swapped to execute malicious code.

The CVE has been disputed by multiple parties, but we’re not here to comment on that. However, we are here to comment on DLL hijacking and discuss the very real threat that it poses to an organisation. Let’s look into what DLL hijacking is and what measures you can take to keep your DLLs safe.

What DLL hijacking is and how it happens

DLL hijacking (also known as a DLL preloading attack) is a security vulnerability where a legitimate and trusted Dynamic Link Library (DLL) file in a Windows application is replaced with a malicious one.

This method exploits the way applications load DLL files, which contain code and data used by multiple programmes. By loading a malicious DLL, a threat actor can execute their own code with the same privileges as the legitimate application, leading to privilege escalation, persistence and defence evasion.

When a programme starts, it often needs to load various DLLs to perform specific functions, typically from trusted system directories. However, if an application is not careful about where it looks for these DLLs, it might load a malicious DLL from an insecure or predictable location (i.e., the current working directory or a network share). This can happen if the application does not specify the full path to the DLL or if it searches for the DLL in a directory that can be accessed or modified by an attacker.

While this type of attack is not new, it remains effective due to its simplicity. And although this specific issue pertains to Windows applications, it's important to call out that similar vulnerabilities can affect other operating systems (like Linux and macOS, which use dynamic loading for shared libraries).

DLL hijacking introduces multiple security risks, including:

Data theft: The malicious DLL can intercept and steal sensitive data, such as passwords or personal information.
Compromised systems: The attacker can gain control over the system, potentially leading to further attacks or the installation of additional malware.
Malware: The malicious DLL can act as a conduit for spreading malware, infecting other parts of the system or network.

A DLL can be hijacked in several different ways; here are some of the most common techniques:

Insecure DLL search order: Attackers place malicious DLLs in directories searched before the legitimate DLL's location.
Relative path manipulation: Malicious DLLs are loaded when applications use relative paths.
DLL redirection: Techniques like path manipulation redirect the DLL loading process.
Weak permissions: Attackers replace legitimate DLLs with malicious ones in directories with weak permissions.
Phantom DLL hijacking: Attackers exploit applications loading non-existent DLLs by placing malicious DLLs with the same name in searched directories.

These potential vulnerabilities highlight the importance of secure coding practices and directory permission management when it comes to preventing this form of attack.

How to prevent DLL hijacking and keep your DLLs safe and secure

Although DLL hijacking remains a threat, there are best practices you can follow and implement to reduce your risk for a safer, more secure IT environment.

Secure DLL loading:

Use full paths: Always specify the full path to the DLL when loading it. This ensures that the application loads the DLL from a trusted location (and not from an insecure directory).
Set the safe search path: Use the SetDllDirectory function in Windows to add trusted directories to the search path and exclude insecure ones. This can help prevent the application from loading DLLs from unexpected locations.

File integrity checks:

Digital signatures: Ensure that DLLs are signed with a digital signature and verify the signature before loading the DLL. This can help confirm that the DLL has not been tampered with.
Hash verification: Use cryptographic hash functions to verify the integrity of DLL files. If the hash of the DLL does not match the expected value, the file may have been modified.

User permissions:

Least privilege principle: Run applications with the least privilege necessary. This limits the potential damage of a DLL hijacking, as the malicious code will have fewer permissions to execute harmful actions.
User Account Control (UAC): Enable UAC on Windows systems to prompt users for permission before running applications with elevated privileges. This can help prevent unauthorised changes to system files.

Application control and privilege management:

Known and trusted applications: Application control ensures that only known and trusted applications are launchable, removing the risk of unauthorised applications being introduced.
Privilege control: Effective privilege management is crucial in preventing DLL hijacking. By ensuring that applications have the correct rights and privileges to launch, you limit the ability of unauthorised users to introduce malicious files. This control acts as a key barrier, restricting the access an attacker needs to exploit the DLL search mechanism and thereby enhancing the security of your environment.

Security software:

Antivirus and anti-Malware: Use reputable antivirus and anti-malware software to detect and prevent the loading of malicious DLLs. These tools can scan for known malicious files and behaviours.
Intrusion Detection Systems (IDS): Implement IDS to monitor for unusual activity, such as unexpected changes to DLL files or attempts to load DLLs from insecure locations.

Patch management:

Keep software updated: Regularly update applications and operating systems with the latest security patches. Many DLL hijacking vulnerabilities are fixed via updates, so stay current to help protect against known threats.
Automated patching: Use an automated patch management tool to ensure that all systems are kept up to date without manual intervention. This reduces the window of opportunity for attackers to exploit known vulnerabilities, including those that could be used for DLL hijacking. This proactive approach helps maintain the integrity of your applications and operating systems, making it much harder for attackers to inject malicious DLLs.

By implementing these best practices, you can significantly reduce the risk of DLL hijacking and enhance the overall security of your applications and systems.

Combine the right tools and tactics to prevent DLL hijackings

DLL hijacking has been a persistent form of attack for years, proving that it’s still effective and will therefore continue to be an issue for organisations.

Future-proof your organisation using the best practices mentioned above combined with proven solutions like Ivanti Neurons for App Control to help keep your DLLs secure. Capabilities like Trusted Ownership catch and deny a hijacked DLL from being executed by ensuring that ownership of the items matches your approved list of trusted owners.

And, keep your apps up to date to limit exposure to known vulnerabilities. Remove the risk of human error by automating patching with Ivanti Neurons for Patch Management, ensuring that systems are automatically updated and secured.

Windows 11 Migration: Ivanti's Customer Zero Journey with Win11 Upgrades

Mon, 21 Jul 2025 15:46:23 Z

Windows 11 offers enhanced security and a modern user interface, but the transition can be complex for large organisations, with logistical and employee buy-in challenges. Microsoft will end support for Windows 10 on October 14, 2025, so it's crucial to start planning and executing Windows 11 deployments now.

The need to migrate to Windows 11

Migrating to Windows 11 is essential for staying current, secure and efficient. It provides advanced security features like stronger encryption and improved threat detection, safeguarding your data and enhancing IT resilience. The user-friendly interface also streamlines daily tasks, boosting productivity. With Microsoft ending support for Windows 10 this year, upgrading can help organisations avoid increased security risks and potential downtime. According to Gartner, many enterprises are opting to replace even compatible machines with new hardware to ensure optimal performance with Windows 11. Proactive planning ensures a smooth and seamless transition.

Ivanti’s use-case for Windows 10 to Windows 11 migration

At Ivanti, we’ve been successfully rolling out Windows 11 migrations since the beginning of 2025. Like many large organisations, this migration is something we’ve been discussing and planning for quite some time. The goal is to update every eligible machine in a timely manner and triage ineligible machines for further troubleshooting or replacement.

To meet this goal, we prioritised using our own Ivanti Neurons platform solutions, which equipped us with the proactive tools and insights necessary for a successful Windows 11 deployment. Using a phased approach, we were able to identify and address issues coming back from early adopters and gather valuable feedback. Once we saw validation of our plan, we could gradually roll out the upgrade to the rest of the organisation, ensuring a smoother migration overall.

Potential challenges

Like any other company, we wanted to get ahead of any potential barriers to a successful migration.

Hardware compatibility and unknown devices

One of the biggest challenges in upgrading to Windows 11 is meeting the hardware requirements. Many existing devices may not satisfy Microsoft's strict criteria, limiting the number of eligible machines. This can be especially problematic for organisations with a mix of older hardware. To tackle this, Ivanti’s IT team used our discovery capabilities to perform a thorough inventory and assessment of all devices, identifying those that would need to be upgraded or replaced before starting the migration. You can’t migrate devices you don’t know about, which made a comprehensive view of our IT landscape a key first step.

End-user friction and disruptions to productivity

User resistance to new interfaces and features can be another barrier to success. Change can be daunting, and the new look and features of Windows 11 may intimidate users accustomed to older versions. OS upgrades can also cause disruptions to users’ work, causing frustrations and downtime. To minimise these issues, Ivanti’s IT team wanted to make sure that updates were happening at a time most convenient to the end user to avoid losing unsaved work or disrupting productivity in general.

Continuing security updates with extended support

Not every machine can immediately upgrade to Windows 11 due to hardware requirements. However, Ivanti’s extended support will allow us to continue Windows 10 security updates past October, keeping these devices protected and functional.

Ivanti’s Extended Security Update (ESU) deployment streamlines the patching process, reduces IT workload and maintains compliance with regulations like GDPR, HIPAA, or PCI-DSS. Unpatched systems face over 1,200 vulnerabilities annually, and a data breach can cost an average of $4.45 million, according to IBM. We need to make sure that any devices that don’t update to Windows 11 are kept safe and secure from vulnerabilities.

Extended support also helps us extend our device lifecycle for devices that aren’t quite ready to be replaced, or when budget constraints are a factor. According to Gartner, many enterprises are still delaying purchases despite the need to move from Windows 10 to Windows 11, extending the lifecycle of their existing equipment and seeking alternatives to maximise their budgets. Ivanti’s ESU solutions help extend the lifespan of these devices, avoiding the high costs of a full hardware refresh. This ensures seamless patching, minimises security risks and reduces manual IT effort, helping us avoid potential losses and disruptions.

Ivanti’s Windows 11 migration workflow

Ivanti Neurons allowed us to automate key elements of the migration, from the initial device assessment to the upgrade itself, streamlining each phase and allowing our IT team to concentrate on other mission-critical activities. In general, here is how the workflow for updating devices from Windows 10 to Windows 11 looks at Ivanti.

1. Preparation

Identify Devices: Create a group of Windows 10 devices that need to be upgraded.
Download Files: Push necessary files to the devices, ensuring efficient data transfer by using ZIP files.

2. Pre-Check

Eligibility Check: Run PowerShell scripts to verify if the device meets the hardware requirements for Windows 11.
Power Check: Ensure the device is connected to A/C power.

3. User Interaction

Notification: Use Teams bot integration to notify users about the upgrade and allow them to schedule it.
Consent: Users provide consent for the upgrade via an interactive Teams message.

4. Upgrade Execution

Run Upgrade: Execute the Windows Update Assistant to perform the upgrade.
Monitor Progress: Track the upgrade process and handle any errors or issues that arise.

5. Post-Upgrade Actions

Restart Device: Prompt users to restart their devices to complete the upgrade.
Activation Check: Verify that the device is activated with an enterprise licence key.
Additional Updates: Apply any necessary Windows updates post-upgrade.

6. Error Handling

Automated Ticket Creation: Use a bot to generate tickets for devices that fail the upgrade process.
Troubleshooting: Enterprise services team handles cases where devices cannot be upgraded automatically.

7. Continuous Improvement

Refinement: Break down the upgrade process into smaller automated steps to streamline operations.
Feedback: Incorporate user feedback to improve the upgrade experience.

This workflow ensures a smooth transition from Windows 10 to Windows 11 while minimising disruptions and handling exceptions efficiently. This process has been rolled out gradually, taking it one week at a time. It’s been thoughtful and intentional, working to build this process and workflow for the future by ensuring it’s flexible and modular. That way, we can revisit a similar process for the next generation of Windows whenever it comes.

Ready to start your Windows 11 migration?

Migrating to Windows 11 is essential for maintaining security, efficiency and compliance. Ivanti has leveraged our own solutions to automate key steps, gather user feedback and provide extended security updates for ineligible devices, all while ensuring a smooth transition that minimises end-user disruption and maximises IT efficiency.

Ivanti’s approach and workflow not only addresses current challenges but also sets up a flexible and modular foundation for future OS upgrades.

Ready to start your own Windows 11 migration? Learn how Ivanti Neurons can simplify and automate the process.

Explore Ivanti Neurons