CVE-2026-4822 - Vulnerability Details

- Enter Software Iperius Backup Backup Service temp file

Description

A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Published: 2026-03-25

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the Iperius Backup service allows the creation of temporary files in the job directory with insecure permissions. When an attacker triggers the affected function, the backup service writes a file that can be read or modified by any user with local access. The weakness falls under unsafe file permissions and information exposure, enabling an attacker to potentially view or tamper with backup metadata. The vulnerability does not enable remote exploitation and requires user interaction with the local system.

Affected Systems

Enter Software Iperius Backup versions up to and including 8.7.3 are impacted. The flaw resides in the component that processes backup jobs located under C:\ProgramData\IperiusBackup\Jobs\. Users running these versions should be aware that job files may be exposed through temporary file permissions.

Risk and Exploitability

The CVSS score is 7.3, indicating a high impact if exploited. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting that public exploitation is currently rare. However, the exploit is publicly documented and requires local access with a moderate to high level of technical skill. Once a local account is compromised, the attacker can read or modify backup files, potentially compromising the confidentiality and integrity of backup data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Enter Software

Iperius Backup

affected

Version	Status	Constraints
`8.7.0`	affected	—
`8.7.1`	affected	—
`8.7.2`	affected	—
`8.7.3`	affected	—
`8.7.4`	unaffected	—

No data.

Vendor Product Confidence Versions

Enter Software

Iperius Backup

100%

Version	Status	Scheme	Platform
`8.7.0`	affected	semver	—
`8.7.1`	affected	semver	—
`8.7.2`	affected	semver	—
`8.7.3`	affected	semver	—
`8.7.4`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch to upgrade Iperius Backup to version 8.7.4 or newer.
Restrict the permissions on the C:\ProgramData\IperiusBackup\Jobs\ directory to prevent unauthorized local users from accessing or modifying temporary files, ensuring that only privileged accounts can read or write.
Monitor system and backup logs for abnormal file creation activity or unauthorized access attempts to the backup job directory.

Generated by OpenCVE AI on April 15, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/0truust/iperius-backup-security-advisories/blob/main/advisories/arbitrary-file-disclosure.md
https://vuldb.com/?ctiid.353122
https://vuldb.com/?id.353122
https://vuldb.com/?submit.774209
https://www.iperiusbackup.com/download-software-backup.aspx

History

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability was detected in Enter Software Iperius Backup bis 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title	Enter Software Iperius Backup Backup Service Local Privilege Escalation	Enter Software Iperius Backup Backup Service temp file
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enter Software Enter Software iperius Backup
Vendors & Products		Enter Software Enter Software iperius Backup

Wed, 25 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Enter Software Iperius Backup bis 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title		Enter Software Iperius Backup Backup Service Local Privilege Escalation
Weaknesses		CWE-377 CWE-378
References		https://github.com/0truust/iperius-backup-security-advisories/blob/main/advisories/arbitrary-file-disclosure.md https://vuldb.com/?ctiid.353122 https://vuldb.com/?id.353122 https://vuldb.com/?submit.774209 https://www.iperiusbackup.com/download-software-backup.aspx
Metrics		cvssV2_0 `{'score': 6, 'vector': 'AV:L/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Enter Software Iperius Backup

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-25T20:31:47.588Z

Updated: 2026-03-28T01:48:17.741Z

Reserved: 2026-03-25T13:56:35.058Z

Link: CVE-2026-4822

Vulnrichment

Updated: 2026-03-28T01:48:13.923Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T21:16:48.377

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-4822

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object