Skip to main content

EaseUS Partition Master CVE-2026-12781

| EUVDEUVD-2026-38146 HIGH
Improper Access Control (CWE-284)
2026-06-21 VulDB GHSA-5497-893c-j3pf
7.1
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local attacker with low-privileged authenticated access exploits a kernel driver lacking access checks to gain SYSTEM, yielding full CIA impact with no UI and no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 05:57 vuln.today
CVSS changed
Jun 21, 2026 - 08:22 NVD
8.5 (HIGH) 7.1 (HIGH)

DescriptionCVE.org

A vulnerability was identified in EaseUS Partition Master up to 14.5. The affected element is an unknown function in the library epmntdrv.sys of the component Kernel Driver. The manipulation leads to improper access controls. The attack needs to be performed locally. The exploit is publicly available and might be used. You should upgrade the affected component. The vendor explains: "We have confirmed that this issue was present only in older versions of the product. Our product has since been updated, and the issue has been resolved in the latest version, so it no longer exists."

AnalysisAI

Local privilege escalation in EaseUS Partition Master through version 14.5 stems from improper access controls in the epmntdrv.sys kernel driver, allowing a low-privileged local user to gain SYSTEM-level control over the host. Publicly available exploit code exists and the vendor has confirmed the issue was resolved in newer releases, though no specific patched version is named in the advisory.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged local foothold
Delivery
Enumerate installed software and drivers
Exploit
Open handle to epmntdrv.sys device
Execution
Send crafted IOCTL bypassing access checks
Persist
Abuse kernel primitive to elevate to SYSTEM
Impact
Disable defenses and establish persistence

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) EaseUS Partition Master versions 14.0 through 14.5 installed on the target Windows host with the epmntdrv.sys kernel driver loaded, and (2) the attacker to already possess local code execution as a low-privileged authenticated user (PR:L in the CVSS 4.0 vector), meaning this is not remotely reachable and cannot be triggered without an existing foothold. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) with score 7.1 and E:P (Proof-of-Concept) accurately reflects a high-impact local privilege escalation: an authenticated low-privileged user can achieve full confidentiality, integrity, and availability compromise of the host with no user interaction and low attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged foothold on a Windows endpoint - obtained via phishing, a browser exploit, or a malicious insider account - locates the EaseUS Partition Master installation and opens a handle to the epmntdrv.sys device object, which the driver fails to restrict to administrators. Using the publicly available proof-of-concept (winslow1984.com writeup), the attacker issues crafted IOCTLs to perform kernel-mode read/write primitives and elevates to NT AUTHORITY\SYSTEM, then disables EDR, dumps LSASS, or installs persistent tooling.
Remediation Patch available per vendor advisory - EaseUS states the issue is resolved in the latest version of Partition Master, so upgrade to the current release from https://www.easeus.com/partition-manager/ and confirm the shipped epmntdrv.sys is the post-fix build; an exact patched version number is not published in the advisory, so verify with EaseUS support before declaring systems clean. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running EaseUS Partition Master 14.5 and earlier through your asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy