Description
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
Published: 2026-06-17
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Client Update Service of Quanos SCHEMA ST4 where the service is executed as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe. The interface lacks proper access controls or authorization checks, allowing a local authenticated user to invoke privileged update methods such as Update(). This allows the attacker to perform arbitrary file write and delete operations with SYSTEM privileges, effectively achieving local privilege escalation.

Affected Systems

The affected product is Quanos Solutions GmbH SCHEMA ST4 deployed on‑premises. Version information is not specified in the data provided and no cloud or SaaS deployment of Quanos SCHEMA ST4 is affected.

Risk and Exploitability

The attack requires local host access with an authenticated user session, so it is a local privilege escalation rather than a remote attack vector. The CVSS score of 8.4 indicates a high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. In environments that strictly enforce the principle of least privilege, the attack surface is reduced, though the vulnerability could be exploited by any low‑privileged local user who can access the named pipe. The vendor recommends disabling the Client Update Service until a patch is released, and provides a workaround to manually perform client updates only with a privileged account.

Generated by OpenCVE AI on June 18, 2026 at 11:58 UTC.

Remediation

Vendor Solution

The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account. Quanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.


Vendor Workaround

Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually.


OpenCVE Recommended Actions

  • Disable the Client Update Service until a vendor patch is available
  • Restrict local interactive access to systems running SCHEMA ST4 on‑premises
  • Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts
  • Ensure that only trusted administrators perform client updates manually

Generated by OpenCVE AI on June 18, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Quanos Solutions
Quanos Solutions schema St4
Vendors & Products Quanos Solutions
Quanos Solutions schema St4

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
Title Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Quanos Solutions Schema St4
cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-17T14:56:22.560Z

Reserved: 2026-06-10T09:08:26.174Z

Link: CVE-2026-11858

cve-icon Vulnrichment

Updated: 2026-06-17T14:56:18.581Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:27Z

Weaknesses