Description
The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege.
Published: 2026-02-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to SYSTEM
Action: Immediate Patch
AI Analysis

Impact

The installer bundled with Digital Arts Inc.'s FinalCode Client has an incorrect default permissions setting that allows a user without administrative rights to gain SYSTEM level privileges by executing arbitrary code during installation. This flaw is a classic example of improper privilege assignment (CWE‑276) and can be leveraged to run any code with full system authority on the affected machine.

Affected Systems

Digital Arts Inc. FinalCode version 5 series and version 6 series are affected. All installations that deploy the provided installer package are vulnerable until corrected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5 and an EPSS probability of less than one percent, indicating a low likelihood of widespread exploitation. The flaw is currently not listed in CISA’s KEV catalog. Exploitation requires local access to run the installer, but once executed it can elevate any non‑admin user to SYSTEM, providing full control over the host.

Generated by OpenCVE AI on April 17, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a verified, up‑to‑date version of FinalCode Client that corrects the installer permissions flaw.
  • If an update is unavailable, restrict the installer executable’s permissions so that only members of the Administrators group can run it.
  • Configure local security policies or AppLocker rules to block execution of installers from untrusted locations for standard users, thereby preventing the privilege escalation pathway.

Generated by OpenCVE AI on April 17, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Incorrect Default Permissions in FinalCode Client Installer Enable SYSTEM Privilege Escalation

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Digital Arts
Digital Arts finalcode Ver.5 Series
Digital Arts finalcode Ver.6 Series
Vendors & Products Digital Arts
Digital Arts finalcode Ver.5 Series
Digital Arts finalcode Ver.6 Series

Thu, 26 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege.
Weaknesses CWE-276
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Digital Arts Finalcode Ver.5 Series Finalcode Ver.6 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-26T14:25:14.491Z

Reserved: 2026-02-12T07:13:38.504Z

Link: CVE-2026-23703

cve-icon Vulnrichment

Updated: 2026-02-26T14:25:08.844Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T06:17:15.893

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses