CVE-2016-5720 in Skype
Summary
by MITRE
Multiple untrusted search path vulnerabilities in Microsoft Skype allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) msi.dll, (2) dpapi.dll, or (3) cryptui.dll that is located in the current working directory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2016-5720 represents a critical untrusted search path issue affecting Microsoft Skype applications across multiple operating systems. This flaw stems from the application's improper handling of dynamic link library loading mechanisms, where Skype fails to properly validate the source of loaded libraries, creating opportunities for privilege escalation and arbitrary code execution. The vulnerability specifically impacts versions of Skype that utilize Windows DLL loading behavior without explicit path validation, making it particularly dangerous in enterprise environments where Skype is widely deployed. According to CWE-427, this represents a classic uncontrolled search path vulnerability that allows attackers to manipulate the library loading process through malicious files placed in the current working directory. The attack vector leverages the Windows DLL search order mechanism where the system first looks in the current working directory before examining system directories, enabling attackers to place malicious libraries that will be loaded in place of legitimate ones.
The technical exploitation of this vulnerability requires local user access and involves placing specially crafted malicious DLL files named msi.dll, dpapi.dll, or cryptui.dll in the same directory where Skype is executed. These specific library names are chosen because they correspond to legitimate Windows system libraries that Skype may attempt to load during normal operation. When Skype executes and attempts to load one of these libraries, the system's search order will find the malicious file first in the current working directory, causing the attacker's code to execute with the privileges of the Skype process. This creates a persistent threat vector that can be exploited across different user sessions and potentially escalate privileges if the Skype process runs with elevated permissions. The vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage and T1546.009 for exploitative use of Windows DLLs, demonstrating how attackers can leverage legitimate system components to achieve malicious objectives.
The operational impact of this vulnerability extends beyond simple code execution, as it enables sophisticated attack chains including privilege escalation, persistence mechanisms, and lateral movement within compromised networks. Attackers can use this vulnerability to establish persistent backdoors through the Skype application, as the malicious DLLs remain in the working directory and will be loaded every time Skype runs. The vulnerability affects not only individual user systems but also enterprise environments where Skype is deployed at scale, potentially allowing attackers to compromise multiple endpoints simultaneously. Organizations running Skype in enterprise settings face heightened risk due to the widespread deployment and the potential for these attacks to go undetected for extended periods. The vulnerability also impacts various Windows versions including Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows Server 2016, making it a widespread concern across multiple platform versions. Network administrators must consider this vulnerability as part of their broader security posture, particularly in environments where users have local access to systems running Skype. The exploitability factor is relatively high due to the local user requirement being easily satisfied in most enterprise environments, and the attack does not require special privileges beyond standard user access to the system where Skype is installed. Security teams should implement monitoring for suspicious DLL loading activities and consider implementing application whitelisting policies to prevent unauthorized DLL execution. The vulnerability demonstrates the critical importance of proper library loading practices and highlights the need for robust application security controls in enterprise software deployment scenarios.