Takeover flaw in SBI's HYPER SBI 2 installer (CVE-2026-42936): update to 3.20.0
A takeover vulnerability, CVE-2026-42936, has been found in the installer of HYPER SBI 2, the stock-trading tool from Japan's SBI SECURITIES. Installers before version 3.20.0 are affected, rated 8.4/10 (High). We explain the attack conditions and the simple fix in plain language.
Table of contents
A takeover vulnerability, CVE-2026-42936, has been found in the installer of HYPER SBI 2, the stock-trading tool from Japan's SBI SECURITIES. Installers before version 3.20.0 are affected, rated 8.4/10 (High). We explain the attack conditions and the simple fix in plain language.
A vulnerability that could let an attacker take over your PC has been found in "HYPER SBI 2," the stock-trading tool from Japanese brokerage SBI SECURITIES. It was published by JVN (Japan's vulnerability database) on July 15, 2026, and is tracked as CVE-2026-42936.
The flaw is in the installer—the setup program you run to install or update the tool. Installers before version 3.20.0 are affected, and under the right conditions an attacker's program can run on your machine. Severity is rated 8.4 out of 10 (High).
HYPER SBI 2 is a free, high-function Windows trading tool for SBI SECURITIES account holders. It lets users place orders while watching real-time prices and charts, so it is widely used by individual investors. The fix is simple: update to the patched latest version (3.20.0 or later). Here is what is dangerous, and when the risk actually applies.
Vulnerability overview
CVE-2026-42936: a "DLL loading" flaw in the installer
This is what is technically called an uncontrolled DLL search path (DLL hijacking). Windows programs load component files called DLLs when they run. The HYPER SBI 2 installer looks for these components by checking its own folder first. So if an attacker plants a fake component file in the same folder as the installer, the fake is loaded instead of the real one, and the attacker's code runs.
| Item | Detail |
|---|---|
| ID | CVE-2026-42936 / JVN#59875262 |
| Product | HYPER SBI 2 (SBI SECURITIES) |
| Affected | Installers before 3.20.0 |
| Type | DLL search-path flaw (CWE-427) |
| Severity | CVSS v4.0: 8.4 (High) CVSS v3.0: 7.8 (High) |
| Impact | Arbitrary code runs with the running user's rights |
| Fix | Update to 3.20.0 or later |
| Reporter | Kazuma Matsumoto (GMO Cybersecurity by Ierae) |
Is your version at risk? (quick guide)
The danger applies when you run the installer (the setup/update program). An already-installed, running copy of the app is not taken over by this flaw alone. But if you next update using an old installer, you are exposed—so check your situation below.
| Your situation | Risk | What to do |
|---|---|---|
| On 3.20.0 or later | Patched | Nothing further |
| On a version before 3.20.0 | At risk on next update | Update to latest |
| Installing fresh from now | Old setup files are risky | Get latest from official site |
| Old setup file left in Downloads | Risky if run | Delete the old setup file |
You can check your version in the HYPER SBI 2 menu or on the SBI SECURITIES release notes. If an old setup .exe is sitting in your Downloads folder, delete it rather than running it, and grab the latest version from the official site instead.
Who would exploit this, and how
This is not a "anyone can take over your PC remotely, right now" flaw. Exploitation has preconditions, and understanding them lets you avoid both panic and complacency.
The attacker is someone already able to drop a file onto your PC: malware that has already gotten in, someone with brief access to a shared computer, or someone distributing a doctored archive (zip) claiming to be "the HYPER SBI 2 setup file."
That attacker quietly places a fake component file (DLL) in the same folder as the installer. Since most people run the installer straight from the Downloads folder, that becomes the prime target spot. The moment you double-click the installer, the fake is loaded and the attacker's program starts running with your privileges.
If takeover succeeds, the damage is not confined to the trading tool. Running with your rights, the attacker could read other files, install more malware, or steal passwords and login details. Because this is a machine used for a brokerage account, money-linked information is concentrated there. On a shared corporate machine, it can become a stepping stone for spreading further inside the network.
How it works, technically
When a Windows program loads a DLL (component file), the OS searches folders in a set order. Under the default order, "the same folder as the executable" can be searched with priority. If the program does not strictly specify the path of the DLL it loads, an attacker only needs to place a same-named fake DLL in that folder for the fake to be loaded before the real one. This is DLL hijacking (also called DLL planting), categorized as CWE-427 (Uncontrolled Search Path Element).
Installers are a common target: they are used only briefly and often run with administrator rights. SBI SECURITIES has been here before—the older "HYPER SBI" tool had the same class of installer DLL flaw (JVN#71284826), and this time the same family of weakness turned up in its successor, HYPER SBI 2. The reporter is Kazuma Matsumoto of the security-testing firm GMO Cybersecurity by Ierae.
What to do now
The response is not hard. The basics cover it.
First, update HYPER SBI 2 to the latest version (3.20.0 or later). That is the root fix; if you are already current, nothing more is needed. Second, get the setup .exe from the official site and tidy up where you run it. Do not use setup files received via social media, email, or unknown distribution sites. Rather than running it in a cluttered Downloads folder, move just the setup file into a new empty folder and run it there, so there is no room for a fake DLL to hide. Third, delete old setup files once you are done—an old setup .exe lingering in Downloads is an easy re-entry point if run by accident.
Finally, keeping malware off your PC in the first place is the premise here. Because this flaw abuses an "attacker can already drop a file" state, the everyday basics—keeping your OS and security software current and not opening suspicious files—are themselves the defense.
Sources
- â–¸ JVN#59875262 - DLL loading vulnerability in the HYPER SBI 2 installer (July 15, 2026)
- â–¸ JVN#71284826 - DLL loading vulnerability in the older HYPER SBI installer (same class)
- â–¸ SBI SECURITIES - HYPER SBI 2 product page
- â–¸ SBI SECURITIES - HYPER SBI 2 release notes
- â–¸ CWE-427: Uncontrolled Search Path Element

Makoto Horikawa
Backend Engineer / AWS / Django