Description
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.
Published: 2026-04-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to SYSTEM and Remote Impact
Action: Patch Immediately
AI Analysis

Impact

WinMatrix, an agent developed by Simopro Technology, suffers from a missing authentication weakness that permits a local attacker who has already authenticated to the system to run arbitrary code with SYSTEM privileges. The attacker can execute code on the compromised host and, through the agent’s management capabilities, affect all other hosts within the environment.

Affected Systems

All installations of Simopro Technology’s WinMatrix agent are affected. No specific version information is listed in the vendor data.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3 and is not currently listed in the KEV catalog. Exploitation requires local authenticated access to the agent; once achieved, the attacker can execute privileged code on the local machine and remotely control additional hosts. The EPSS score is not available, indicating that exploitation probability has not been quantified, but the high severity score suggests a significant threat if a local attacker gains access.

Generated by OpenCVE AI on April 16, 2026 at 09:02 UTC.

Remediation

Vendor Solution

Update agent to version 3.5.27.5 or later.

OpenCVE Recommended Actions

  • Upgrade the WinMatrix agent to version 3.5.27.5 or later.
  • If an upgrade is not immediately possible, restrict local access to the agent and isolate the network path used by the agent from other critical infrastructure.
  • Monitor the system for abnormal code execution, elevated privilege usage, and changes to agent configuration.

Generated by OpenCVE AI on April 16, 2026 at 09:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Simopro Technology
Simopro Technology winmatrix3
Vendors & Products Simopro Technology
Simopro Technology winmatrix3

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.
Title Simopro Technology|WinMatrix - Missing Authentication
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Simopro Technology Winmatrix3
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-16T12:31:42.790Z

Reserved: 2026-04-15T11:32:28.281Z

Link: CVE-2026-6348

cve-icon Vulnrichment

Updated: 2026-04-16T12:22:18.391Z

cve-icon NVD

Status : Deferred

Published: 2026-04-16T03:16:30.383

Modified: 2026-05-19T15:52:30.143

Link: CVE-2026-6348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses