CVE-2026-9489

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

CVSS

No CVSS.

References

Link	Resource
https://community.acer.com/en/kb/articles/19652

Configurations

No configuration.

History

25 May 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-25 02:16

Updated : 2026-05-26 19:05

NVD link : CVE-2026-9489

Mitre link : CVE-2026-9489

CVE.ORG link : CVE-2026-9489

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-269

Improper Privilege Management

CWE-284

Improper Access Control

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2026-9489", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "8fc372e3-d9c5-46e4-9410-38469745c639", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-25T02:16:57.773", "references": [{"url": "https://community.acer.com/en/kb/articles/19652", "source": "8fc372e3-d9c5-46e4-9410-38469745c639"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "8fc372e3-d9c5-46e4-9410-38469745c639", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges."}], "lastModified": "2026-05-26T19:05:09.927", "sourceIdentifier": "8fc372e3-d9c5-46e4-9410-38469745c639"}