Description
The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions
Published: 2026-01-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from an incorrect sudoers configuration that fails to enforce permissions for the user XXX, allowing that user to execute commands as the superuser without restriction. This flaw enables an attacker with local access to elevate privileges, obtain full system control, and compromise confidentiality, integrity, and availability of the affected device. The weakness maps to CWE-269, reflecting a lack of authorization controls.

Affected Systems

EFACEC offers QC series configurations, including QC 60, QC 90, and QC 120 models, that are affected by the described sudoers misconfiguration. No specific firmware or software version details are disclosed; the flaw affects all current releases under the mentioned product line.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity exploit. EPSS is below 1 %, suggesting a low incidence of exploitation but not negligible. The vulnerability is not listed in the CISA KEV catalog, implying no publicly available exploit code has yet been confirmed. Likely attack requires local access and knowledge of the sudoers file. An attacker who can log in as user XXX could achieve full privilege escalation by running arbitrary commands as root.

Generated by OpenCVE AI on April 18, 2026 at 08:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest EFACEC firmware update that corrects the sudoers permissions enforcement.
  • Audit the /etc/sudoers configuration and remove or restrict entries that grant user XXX unrestricted root access.
  • If the user XXX is not required for administrative tasks, remove the account from the sudoers file or delete the account entirely.

Generated by OpenCVE AI on April 18, 2026 at 08:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://cds.thalesgroup.com/en cve-icon cve-icon
History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sudo
Sudo sudo
Vendors & Products Sudo
Sudo sudo

Wed, 07 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions
Title PRIVILEGE ESCALATION VIA SUDO COMMAND
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sudo Sudo
cve-icon MITRE

Status: PUBLISHED

Assigner: S21sec

Published:

Updated: 2026-01-07T17:19:18.449Z

Reserved: 2026-01-07T14:01:04.828Z

Link: CVE-2026-22536

cve-icon Vulnrichment

Updated: 2026-01-07T17:19:13.534Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T17:16:03.777

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses