CVE-2026-9789 - Vulnerability Details

- NitroSense V3: Security Vulnerability Information

Description

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority.

Published: 2026-05-28

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Local Privilege Escalation vulnerability in Acer NitroSense affects versions before 3.01.3052. The PSAdminAgent service creates a named pipe with a weak ACL, allowing any authenticated local user to connect and send commands. Because the service does not verify caller privileges before executing file deletion commands, an attacker can delete arbitrary files with system authority. The weakness maps to CWE‑22 (Path Traversal), CWE‑269 (Privilege Escalation), CWE‑284 (Improper Access Control), and CWE‑732 (Incorrect Permission Assignment).

Affected Systems

Affected systems are Acer NitroSense V3 devices running software prior to version 3.01.3052. Only those installations that have the PSAdminAgent service enabled are vulnerable; newer releases include the fix. No other vendors or product lines are listed as affected.

Risk and Exploitability

The risk is significant with a CVSS score of 8.5, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the local attack requirement means that any authenticated user on a compromised or trusted machine can exploit the flaw. The exploit path is straightforward: the attacker creates a named pipe connection, sends a malicious command, and the service deletes the target file with system privileges. The lack of privilege checks makes exploitation easy for skilled users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Acer

NitrorSense V3

unaffected

Version	Status	Constraints
`3.01.3001`	affected	≤ 3.01.3052

No data.

Vendor Product Confidence Versions

Acer

Nitrosense V3

97%

Version	Status	Scheme	Platform
`[3.01.3001,3.01.3052]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

This issue is resolved in NitroSense versions V3.01.3056.

OpenCVE Recommended Actions

Upgrade Acer NitroSense to version V3.01.3056 or later.
After upgrading, reboot the system to load the updated PSAdminAgent service.
Review the PSAdminAgent named pipe ACL to ensure it allows access only to privileged users, or disable the service if it is not required.

Generated by OpenCVE AI on May 28, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://community.acer.com/en/kb/articles/19670

History

Sat, 30 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Acer Acer nitrosense V3
Vendors & Products		Acer Acer nitrosense V3

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority.
Title		NitroSense V3: Security Vulnerability Information
Weaknesses		CWE-22 CWE-269 CWE-284 CWE-732
References		https://community.acer.com/en/kb/articles/19670
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Acer Nitrosense V3

MITRE

Status: PUBLISHED

Assigner: Acer

Published: 2026-05-28T02:39:40.930Z

Updated: 2026-05-28T13:12:02.598Z

Reserved: 2026-05-28T02:16:31.420Z

Link: CVE-2026-9789

Vulnrichment

Updated: 2026-05-28T13:11:59.272Z

NVD

Status : Deferred

Published: 2026-05-28T03:16:44.200

Modified: 2026-05-28T17:58:14.497

Link: CVE-2026-9789

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-30T21:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object