|
[Japanese]
|
JVNDB-2026-000088
|
ExpressUpdate Agent for Windows improper access restriction on its named pipe
|
|
ExpressUpdate Agent for Windows provided by NEC Corporation is the software module for NEC server products, to support remote management of installed software.
ExpressUpdate Agent for Windows configures its named pipe with an improper access restriction.- Exposed IOCTL with Insufficient Access Control (CWE-782) - CVE-2026-8797
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
CVSS v4 Severity
Base Metrics: 8.5 (High) [IPA Score]
- Access Vector (AV): Local
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): High
- Integrity Impact (VI): High
- Availability Impact (VA): High
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
|
|
|
NEC Corporation
- ExpressUpdate Agent for Windows 3.24 and prior
|
|
|
A non-administrative user who logs in to the product may execute arbitrary code with SYSTEM privilege.
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version addressing the vulnerability. - ExpressUpdate Agent for Windows 3.25
|
|
NEC Corporation
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2026-8797
|
|
- JVN : JVN#35146924
|
|
- [2026/06/26]
Web page was published
|
