Description
PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.
Published: 2026-06-29
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local user can gain elevated SYSTEM rights by connecting to a misconfigured named pipe that the Empirum PBackupVSS executable creates. The pipe allows arbitrary IPC messages, and the program ignores an untrusted search path. An attacker can place a malicious shadow.exe in a directory that the service will search, causing that code to run as SYSTEM. The weakness is an improper access control flaw that permits privilege escalation.

Affected Systems

Matrix42 Empirum before version 25.5 and all 26.x releases before 26.2 are affected. Any installation that utilizes the PBackupVSS component is vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity potential. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. A local, low‑privileged attacker can exploit the flaw with no special user privileges beyond being authenticated on the system. The attack vector is local and requires interaction with the named pipe, making it moderately likely to be discovered and used in targeted environments.

Generated by OpenCVE AI on June 29, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Matrix42 Empirum to version 25.5 or later, or 26.2 and newer, where the pipe permissions and search path checks have been corrected.
  • If an immediate upgrade is not feasible, restrict the named pipe’s DACL so that only the SYSTEM account can write to it and remove GENERIC_WRITE permissions for authenticated users.
  • Prevent execution of the attacker’s program by ensuring the working directory is not in the system PATH or by enabling the registry setting that disables untrusted DLL search paths.

Generated by OpenCVE AI on June 29, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Untrusted Search Path in Matrix42 Empirum PBackupVSS

Mon, 29 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 29 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Untrusted Search Path in Matrix42 Empirum PBackupVSS
Weaknesses CWE-284

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-276
CWE-426
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T20:44:19.597Z

Reserved: 2026-06-26T00:00:00.000Z

Link: CVE-2026-57919

cve-icon Vulnrichment

Updated: 2026-06-29T20:44:10.319Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:00:06Z

Weaknesses