Description
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from insecure permissions set on the MSI NBFoundation Service named pipe, MSI_SERVICE_2. A remote attacker can open a connection to the pipe and read data that the service exposes without any authentication, leading to a loss of confidentiality of the information the service handles. The flaw is a classic example of a permission‑related data exposure, categorized as CWE‑200.

Affected Systems

The MSI NBFoundation Service version 2.0.2506.1201, distributed by MSI, is affected. No other vendor or product versions are identified in the CNA data.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is less than 1 %, indicating that exploitation is possible but unlikely to be widely seen. The vulnerability is not listed in the CISA KEV catalog, meaning there are no confirmed large‑scale attacks at this time. Exploitation requires a remote actor to connect to the MSI_SERVICE_2 named pipe, which can be accessed without authentication because of the insecure permissions. The primary risk is a confidentiality compromise; there is no evidence that the flaw would affect integrity or availability.

Generated by OpenCVE AI on June 26, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MSI NBFoundation Service to the latest version released by MSI that addresses the pipe permission issue.
  • If an upgrade cannot be performed immediately, apply a security descriptor to the MSI_SERVICE_2 pipe that restricts access to trusted system accounts only.
  • As a temporary workaround, disable or uninstall the MSI NBFoundation Service if it is not required for business operations.
  • Enable system auditing or monitoring to detect unauthorized connections to the MSI_SERVICE_2 named pipe.

Generated by OpenCVE AI on June 26, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Insecure Permissions on MSI NBFoundation Service Named Pipe Exposes Sensitive Information

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Msi
Msi nbfoundation Service
Vendors & Products Msi
Msi nbfoundation Service

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions on MSI NBFoundation Service Named Pipe Exposes Sensitive Information
Weaknesses CWE-200

Thu, 25 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe
References

Subscriptions

Msi Nbfoundation Service
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T14:11:18.285Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37453

cve-icon Vulnrichment

Updated: 2026-06-26T14:11:14.693Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor