Description
SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installation folder of the product. As a result, arbitrary code may be executed with the administrative privilege.
Published: 2026-04-20
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation leading to Arbitrary Code Execution
Action: Apply Patch
AI Analysis

Impact

Sky Co.,LTD. products SKYMEC IT Manager and SKYSEA Client View allow a non‑administrative user to create or modify files in their installation directory because the directory is written with overly permissive access settings. This misconfiguration permits the execution of arbitrary code with the privileges that the product runs under, effectively giving the attacker administrative access within the system. The flaw is a Permissions Issue (CWE‑276) and can compromise confidentiality, integrity and availability of affected systems.

Affected Systems

The vulnerability affects Sky Co.,LTD. SKYMEC IT Manager and SKYSEA Client View. Specific version information is not supplied in the CVE data, so all installed versions of these products should be considered potentially vulnerable until a vendor update is applied.

Risk and Exploitability

The CVSS score of 8.5 marks this as a high‑severity issue. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. The likely attack path is local: a non‑admin user can place malicious files in the installation folder, though the affect may be amplified if an attacker can remotely inject files through exposed services or network shares. The lack of hard evidence for exploitation means the actual risk may be lower than the score alone suggests, but the potential for full administrative compromise warrants immediate action.

Generated by OpenCVE AI on April 20, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SKYMEC IT Manager and SKYSEA Client View to the latest vendor releases once available
  • Configure the installation directory to deny write access to all non‑administrative users and allow execution only for administrative accounts
  • Disable any features or services that allow non‑admin users to place files in the installation directory; enforce the principle of least privilege and monitor the folder for unexpected changes

Generated by OpenCVE AI on April 20, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup skymec It Manager
Skygroup skysea Client View
Vendors & Products Skygroup
Skygroup skymec It Manager
Skygroup skysea Client View

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installation folder of the product. As a result, arbitrary code may be executed with the administrative privilege.
Weaknesses CWE-276
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Skygroup Skymec It Manager Skysea Client View
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-20T13:28:56.536Z

Reserved: 2026-04-08T11:15:40.304Z

Link: CVE-2026-39454

cve-icon Vulnrichment

Updated: 2026-04-20T13:28:52.399Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T09:16:08.933

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-39454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:58:02Z

Weaknesses