Skip to main content

UltraISO Premium Edition CVE-2026-12786

| EUVDEUVD-2026-38150 HIGH
Improper Access Control (CWE-284)
2026-06-21 VulDB GHSA-hr5r-cgx8-r3qw
7.1
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local-only attack via a kernel driver IOCTL (AV:L), reliable once exploit is known (AC:L), requires an existing low-priv local user (PR:L), no user interaction, and yields SYSTEM giving full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 06:00 vuln.today
CVSS changed
Jun 21, 2026 - 09:22 NVD
8.5 (HIGH) 7.1 (HIGH)

DescriptionCVE.org

A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Local privilege escalation in EZB Systems UltraISO Premium Edition up to 9.76 stems from improper access controls in the bundled bootpt64.sys kernel driver, allowing an authenticated local user to abuse the driver and achieve high-integrity kernel-level impact on confidentiality, integrity, and availability. Publicly available exploit code exists, and the vendor was contacted but did not respond, leaving all currently shipped versions unpatched.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged local shell on host
Delivery
Enumerate UltraISO install and bootpt64.sys device
Exploit
Open handle to vulnerable driver device object
Install
Send crafted IOCTL bypassing access checks
C2
Abuse kernel primitive to overwrite process token
Execute
Escalate to NT AUTHORITY\SYSTEM
Impact
Disable defenses and persist

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) UltraISO Premium Edition 9.0-9.76 installed on a 64-bit Windows host with the bootpt64.sys driver loaded or loadable, (2) the attacker already holding interactive or remote code execution as a low-privileged local user on that host (CVSS AV:L, PR:L - no remote network reachability of the driver and no anonymous access), and (3) the ability to open a handle to the driver's device object and issue IOCTLs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is moderate-to-high for endpoints where UltraISO is installed but not broadly internet-facing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard, low-privileged user on a Windows endpoint - for example, an attacker who landed via a phishing payload or a malicious insider - runs the publicly available exploit which opens a handle to the bootpt64.sys device and issues a crafted IOCTL that the driver processes without enforcing caller privilege. The driver's kernel-mode primitive is abused to overwrite the calling process token (or perform arbitrary kernel write), giving the attacker NT AUTHORITY\SYSTEM and full control of the host, from which they can disable EDR, dump LSASS, and pivot.
Remediation No vendor-released patch identified at time of analysis - EZB Systems was contacted prior to disclosure and did not respond. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit and inventory all systems running UltraISO Premium Edition versions 9.76 and earlier; identify which authenticated local users have access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy