Description
.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
Published: 2026-04-14
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a .NET misconfiguration that permits the use of impersonation in upKeeper Instant Privilege Access. This flaw enables an attacker to hijack a privileged thread of execution, effectively taking control of the thread’s security context. As a result, the attacker can perform higher‑privilege actions, such as accessing sensitive data or executing privileged code, without the need for direct credential compromise. The weakness aligns with CWE‑520, which denotes improper configuration of security features.

Affected Systems

The issue affects upKeeper Solutions’ upKeeper Instant Privilege Access application. Versions up to and including 1.5.0 are vulnerable. No other product or vendor information is specified.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity level, while no EPSS value is provided and the vulnerability is not listed in the CISA KEV catalog, suggesting limited documented exploitation. The attack appears to rely on the ability to influence the application’s impersonation mechanism, implying an internal or compromised environment as the primary vector. Nonetheless, the impact on confidentiality, integrity, and availability could be substantial if an attacker succeeds in hijacking the thread, making this a significant risk for affected deployments.

Generated by OpenCVE AI on April 14, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for upKeeper Instant Privilege Access, upgrading to a version beyond 1.5.0 as released by the vendor.
  • Verify that impersonation settings are disabled or correctly configured to prevent unauthorized thread hijacking.
  • Implement logging and monitoring of thread activity to detect any anomalous hijacking attempts.

Generated by OpenCVE AI on April 14, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Thread Hijack via .NET Impersonation Misconfiguration

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Upkeeper Solutions
Upkeeper Solutions upkeeper Instant Privlege Access
Vendors & Products Upkeeper Solutions
Upkeeper Solutions upkeeper Instant Privlege Access

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description .NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
Weaknesses CWE-520
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Upkeeper Solutions Upkeeper Instant Privlege Access
cve-icon MITRE

Status: PUBLISHED

Assigner: upKeeper

Published:

Updated: 2026-04-14T13:14:16.443Z

Reserved: 2026-02-13T09:53:47.576Z

Link: CVE-2026-2450

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:44.331Z

cve-icon NVD

Status : Received

Published: 2026-04-14T13:16:22.333

Modified: 2026-04-14T13:16:22.333

Link: CVE-2026-2450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:31Z

Weaknesses