CVE-2026-37454 - Vulnerability Details

Description

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The MSI NBFoundation Service v.2.0.2506.1201 contains an insecure permissions flaw that allows a remote attacker to obtain sensitive information via 3DES-ECB encryption. The vulnerability stems from improper access control, enabling the attacker to read or extract confidential data and thereby compromise confidentiality.

Affected Systems

The affected product is MSI NBFoundation Service version 2.0.2506.1201. No other vendors or versions are listed.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating limited publicly known exploitation. Because the service uses insecure permissions, a remote attacker could potentially read or exfiltrate encrypted data without overt intrusion. The lack of a CVSS score limits precise severity assessment, but the potential for confidentiality loss warrants cautious mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MSI NBFoundation Service patch that corrects the permission settings
Restrict the service’s permissions to the principle of least privilege so that only authorized processes and users can access sensitive data
If the service is unnecessary, disable or remove it
Transition from 3DES‑ECB to a stronger encryption mode (e.g., AES‑CBC or GCM) or otherwise ensure that sensitive data is not protected by a weak algorithm

Generated by OpenCVE AI on June 25, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://csr.msi.com/global/product-security-advisories
https://github.com/LittleSuRii/CVE-2026-MSIAPService

History

Thu, 25 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Insecure Permissions Enable Remote Disclosure of Sensitive Data in MSI NBFoundation Service
Weaknesses		CWE-284 CWE-311

Thu, 25 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption
References		https://csr.msi.com/global/product-security-advisories https://github.com/LittleSuRii/CVE-2026-MSIAPService

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-25T00:00:00.000Z

Updated: 2026-06-25T19:57:57.104Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37454

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses

CWE-284
Improper Access Control
CWE-311
Missing Encryption of Sensitive Data

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object