Description
An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
Published: 2026-06-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an access control deficiency within NEC Corporation's ExpressUpdate Agent for Windows. It allows an attacker who can reach the agent to execute arbitrary code as the SYSTEM account. This flaw can compromise confidentiality, integrity, and availability of the affected machine by granting full administrative control and the ability to install malware or exfiltrate data.

Affected Systems

The issue affects the ExpressUpdate Agent for Windows supplied by NEC Corporation. No specific product versions are listed in the official advisory, so all installations of the agent are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 8.5, indicating a high severity. EPSS is not available, and the vulnerability is not yet listed in CISA's KEV. The likely attack vector is local: an attacker who gains any form of access to the machine or the agent service can exploit the flaw. Because the consequences are full SYSTEM privilege, the risk is significant for any user with administrative or local access rights.

Generated by OpenCVE AI on June 26, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security patch for ExpressUpdate Agent from NEC, if available, to remove the access control flaw.
  • Limit or remove the exposure of the ExpressUpdate Agent service by restricting it to a dedicated service account with the least privileges required.
  • If the agent is not required for system operation, uninstall or disable it to eliminate the attack surface.

Generated by OpenCVE AI on June 26, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Nec
Nec expressupdate Agent For Windows
Vendors & Products Nec
Nec expressupdate Agent For Windows

Fri, 26 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Access Control Deficiency in ExpressUpdate Agent Enables SYSTEM-Privilege Code Execution

Fri, 26 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
Weaknesses CWE-782
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nec Expressupdate Agent For Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-06-26T12:19:51.182Z

Reserved: 2026-05-18T01:11:09.851Z

Link: CVE-2026-8797

cve-icon Vulnrichment

Updated: 2026-06-26T12:19:46.415Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:35:51Z

Weaknesses
  • CWE-782

    Exposed IOCTL with Insufficient Access Control