Description
NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.
Published: 2026-05-25
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Acer NitroSense V3 versions before 3.01.3052 contain a misconfigured Windows Named Pipe that exposes a custom protocol to invoke internal functions. The named pipe incorrectly grants any authenticated local user the ability to execute arbitrary code with the privileges of NT AUTHORITY\SYSTEM and to delete any files with SYSTEM ownership. This flaw enables the attacker to run code with elevated privileges, effectively taking full control of the affected system.

Affected Systems

The vulnerability affects the Acer NitroSense V3 product line. All releases of NitroSense 3.x prior to the fixed version 3.01.3056 are impacted. Users of version 3.01.3052 through 3.01.3055 and earlier releases are therefore at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, which does not provide additional insight into the likelihood of exploitation. The issue is not listed in the CISA KEV catalog. Local exploit requires an authenticated user; the attack vector is therefore local and requires the attacker to be logged on to the affected machine.

Generated by OpenCVE AI on May 25, 2026 at 03:20 UTC.

Remediation

Vendor Solution

Please update for version  3.01.3056.

OpenCVE Recommended Actions

  • Apply the official update to version 3.01.3056 immediately.
  • Restrict access to the NitroSense Named Pipe by configuring Windows security descriptors to allow only privileged accounts.
  • Consider disabling the NitroSense service or Named Pipe functionality if the functionality is not required for your environment.

Generated by OpenCVE AI on May 25, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.
Title NitroSense V3: Local Privilege Escalation (LPE) vulnerability
Weaknesses CWE-22
CWE-269
CWE-284
CWE-732
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-05-25T01:50:32.063Z

Reserved: 2026-05-25T01:34:16.727Z

Link: CVE-2026-9489

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T03:30:15Z

Weaknesses