We are dealing with an argument injection flaw in upKeeper Solutions' upKeeper Instant Privilege Access. The vulnerability arises from improper neutralization of argument delimiters in shell commands, allowing an attacker to inject malicious arguments. This can hijack a privileged thread of execution, giving the attacker elevated privileges without authentication. The weakness corresponds to CWE‑88, an argument injection issue that undermines input validation and command execution integrity.

Impact is limited to the upKeeper Instant Privilege Access product from upKeeper Solutions. All installations running version 1.5.0 or earlier are vulnerable. The advisory does not list additional affected versions, nor does it specify any other products. Users should verify that their deployments are running 1.5.0 or earlier to determine exposure.

The CVSS base score of 9.0 indicates a high severity vulnerability with potential for complete compromise of affected systems. No EPSS score is available, but the lack of exposure in the CISA KEV catalog suggests no widely known public exploits yet. The attack vector is likely local, relying on the ability to supply unsanitized arguments to a privileged command, though a remote vector is possible if the application accepts input from external sources. Until a patch is deployed, the risk remains significant.