Description
SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Published: 2026-03-25
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to SYSTEM
Action: Immediate Patch
AI Analysis

Impact

Service registration uses unquoted file paths, enabling execution of arbitrary code with SYSTEM privileges when the user has write access on the system drive root. This flaw allows a local attacker to execute programs with unwarranted elevated privileges, potentially leading to full system compromise.

Affected Systems

Susceptible products are SANYO DENKI CO., LTD.'s SANUPS SOFTWARE and SANUPS SOFTWARE STANDALONE. No specific version details are supplied; the issue exists across all releases listed in the references.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. While EPSS data is unavailable and the vulnerability is not listed in KEV, the requirement for write permission on the system drive root suggests a local attack vector. An attacker with such local access can immediately gain SYSTEM level code execution, making this flaw a serious threat if left unaddressed.

Generated by OpenCVE AI on March 25, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for patch releases or an upgraded SANUPS version that corrects the unquoted path issue and apply it urgently.
  • If no patch is available, limit write permissions on the system drive root folder to trusted administrators only to prevent arbitrary code execution.
  • Monitor the system drive for unexpected service registrations and alert on changes to the service configuration files.
  • Disable or remove unused local services that might be registered using unquoted paths.

Generated by OpenCVE AI on March 25, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unquoted Service Path Allows SYSTEM Privilege Escalation in SANYO DENKI SANUPS Software

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sanyo Denki
Sanyo Denki sanups Software
Sanyo Denki sanups Software Standalone
Vendors & Products Sanyo Denki
Sanyo Denki sanups Software
Sanyo Denki sanups Software Standalone

Wed, 25 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description SANUPS SOFTWARE provided by SANYO DENKI CO., LTD. registers Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Weaknesses CWE-428
References
Metrics cvssV3_0

{'score': 6.7, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sanyo Denki Sanups Software Sanups Software Standalone
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-03-25T13:28:29.422Z

Reserved: 2026-03-18T08:17:06.156Z

Link: CVE-2026-33253

cve-icon Vulnrichment

Updated: 2026-03-25T13:28:24.408Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T06:16:28.527

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-33253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:15:57Z

Weaknesses