Description
AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.
Published: 2026-04-28
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution with system privileges
Action: Immediate Patch
AI Analysis

Impact

AVACAST, developed by eMPIA Technology, contains an unquoted service path flaw that allows a local privileged attacker to place a malicious executable in a specific directory. When the AVACAST service starts, the attacker’s executable is invoked with system privileges, enabling full compromise of the host. This vulnerability is classified as a CWE‑428 weakness.

Affected Systems

All versions of AVACAST prior to version 5.10.10.45 are affected. Users should verify that the installed version is earlier than 5.10.10.45 and plan an upgrade.

Risk and Exploitability

The CVSS base score is 8.4, indicating high severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Since the flaw requires local privilege, the most likely attack vector involves an attacker already on the machine with administrative rights. Once the attacker gains write access to the AVACAST installation directory, they can drop the malicious program and trigger its execution by restarting the service.

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Remediation

Vendor Solution

Update to version 5.10.10.45 or later.

OpenCVE Recommended Actions

  • Upgrade AVACAST to version 5.10.10.45 or later
  • Ensure the service path is correctly quoted in the Windows services configuration
  • Restrict write permissions on the AVACAST installation directory so only the system account can modify files
  • Consider disabling the AVACAST service on systems where it is not required

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.
Title eMPIA Technology|AVACAST - Unquoted Service Path
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-04-28T12:12:53.229Z

Reserved: 2026-04-28T06:55:28.885Z

Link: CVE-2026-7280

cve-icon Vulnrichment

Updated: 2026-04-28T12:12:49.509Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T10:16:04.263

Modified: 2026-04-28T20:22:38.260

Link: CVE-2026-7280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:15:30Z

Weaknesses