CAPEC-471: Search Order Hijacking

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

Last updated June 1, 2026

Medium

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

CAPEC-471: Search Order Hijacking

CAPEC-471: Search Order Hijacking

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-471?

How does a Search Order Hijacking attack work?

How do you prevent CAPEC-471?

What weaknesses does CAPEC-471 target?

How severe is CAPEC-471?

References

Defend against CAPEC-471

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-471?

How does a Search Order Hijacking attack work?

How do you prevent CAPEC-471?

What weaknesses does CAPEC-471 target?

How severe is CAPEC-471?

References

Defend against CAPEC-471