Description
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insecure permissions configuration in the MSI NBFoundation Service version 2.0.2506.1201 enables a remote attacker by interacting with the MSIAPService.exe component. The issue is a CWE-200 (information exposure) weakness, allowing unauthorized reads of protected data, thereby exposing confidential information.

Affected Systems

MSI NBFoundation Service version 2.0.2506.1201 is affected. The issue centers on the MSIAPService.exe executable, whose filesystem permissions permit exposure of sensitive data to unauthorized users.

Risk and Exploitability

The CVSS score is 7.5, the EPSS score is <1%, and it is not listed in the CISA KEV catalog, so the risk assessment relies on these metrics. The lack of proper permissions grants remote attackers the ability to read protected information, which could facilitate broader compromise if additional data or credentials are revealed. The likely attack vector is remote, as the description refers to a "remote attacker," but the exact method of exploitation is unspecified beyond access to the MSIAPService.exe component.

Generated by OpenCVE AI on June 26, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If an official patch or updated MSI NBFoundation Service version is available, upgrade immediately to eliminate the insecure permissions configuration.
  • Verify that the MSIAPService.exe file and any related configuration files have permissions that restrict access to privileged or authorized accounts only, and remove any world‑readable or executable rights.
  • If an update is not yet released, limit the network exposure of the MSIAPService component host‑based controls to restrict access to trusted hosts and monitor system logs for anomalous access attempts.

Generated by OpenCVE AI on June 26, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions in MSI NBFoundation Service Allow Remote Information Disclosure

Fri, 26 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions in MSI NBFoundation Service Expose Sensitive Data
Weaknesses CWE-284

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Msi
Msi nbfoundation Service
Vendors & Products Msi
Msi nbfoundation Service

Thu, 25 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Insecure Permissions in MSI NBFoundation Service Expose Sensitive Data
Weaknesses CWE-284

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
References

Subscriptions

Msi Nbfoundation Service
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T14:09:16.327Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37452

cve-icon Vulnrichment

Updated: 2026-06-26T14:09:12.288Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:30:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor