Description
Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.
Published: 2026-03-10
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Workaround
AI Analysis

Impact

An incorrect default permission setting on the Visionline webserver directory allows a local user to place a malicious executable with elevated privileges. The vulnerability is classified under execution with unnecessary privileges, incorrect permission assignment, and improper enforcement of correct permissions. An attacker who can write to this directory could replace a legitimate file with a malicious payload and gain elevated local privileges, thereby compromising the underlying Windows system.

Affected Systems

ASSA ABLOY Visionline on Windows, versions 1.0 through 1.32 (i.e., any release before 1.33). The affected component is the webserver directory located at C:\ProgramData\ASSA ABLOY\Visionline.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local account that has permission to write to the Visionline webserver folder; an attacker can replace executables there, leading to local privilege escalation.

Generated by OpenCVE AI on April 16, 2026 at 03:55 UTC.

Remediation

Vendor Workaround

* Right-click on the folder C:\ProgramData\ASSA ABLOY\Visionline\webserver * Select Properties * Select the Security tab * Click Advanced * Click Disable inheritance * Select Convert inherited permissions into explicit permissions on this object * Remove Users from the list

OpenCVE Recommended Actions

  • Disable inheritance on the C:\ProgramData\ASSA ABLOY\Visionline\webserver folder and remove all users from its permission list so that only the Visionline service account retains access
  • Upgrade Visionline to version 1.33 or later, which is not affected by this weakness
  • Audit and restrict permissions on all directories used by Visionline to allow only the necessary system and service accounts

Generated by OpenCVE AI on April 16, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Assa Abloy
Assa Abloy visionline
Vendors & Products Assa Abloy
Assa Abloy visionline

Wed, 11 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.
Title Local Privilege Escalation Due to Writable Executable in Privileged Visionline Service Path
Weaknesses CWE-250
CWE-276
CWE-732
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/RE:L/U:Clear'}

Subscriptions

Assa Abloy Visionline
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-03-11T05:13:30.886Z

Reserved: 2026-02-27T06:40:06.038Z

Link: CVE-2026-3315

cve-icon Vulnrichment

Updated: 2026-03-10T13:51:42.640Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:19:01.367

Modified: 2026-03-11T13:53:20.707

Link: CVE-2026-3315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses