Improper input validation in Microsoft System Center Operations Manager (SCOM) allows an attacker who has authorized access to the system to elevate their privileges over a network. The vulnerability could enable a low‑privileged user to gain additional rights and potentially execute arbitrary commands or actions within the SCOM environment, thereby compromising confidentiality, integrity, and availability of monitoring data and related resources. The weakness is identified as CWE‑20, reflecting an improper input validation flaw.

The affected products are Microsoft System Center Operations Manager versions 2019, 2022, and 2025. All update rollups listed in the CPE data are potentially vulnerable, meaning any installation of these product releases prior to the Microsoft patch referenced in the advisory is susceptible. No specific patch release numbers are provided in the CVE entry, but the vendor advisory URL indicates that Microsoft has issued a fix for these releases.

The CVSS score of 8.8 denotes high severity, with a low EPSS probability (<1%) suggesting that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog, further indicating moderate risk. Based on the description, the likely attack vector is network‑based, requiring the attacker to be authenticated with at least some authorized access to the SCOM environment; from that position the attacker could supply crafted input to trigger the privilege escalation. No official workaround is provided by Microsoft, emphasizing the need for timely patching.