Skip to main content

Symantec Management Suite CVE-2026-15380

| EUVDEUVD-2026-45153 MEDIUM
2026-07-17 symantec GHSA-gvhq-5mp7-wjmp
5.1
CVSS 4.0 · Vendor: symantec
Share

Severity by source

Vendor (symantec) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:M/U:Red
vuln.today AI
7.3 HIGH

Local interactive session with low-privilege user required; full SYSTEM execution warrants high C/I/A, correcting the vendor's VC:H-only impact claim.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (symantec).

CVSS VectorVendor: symantec

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:M/U:Red
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
N

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 07:46 vuln.today

DescriptionCVE.org

A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain - no network access, no memory corruption required (ITMS 8.7.3)

AnalysisAI

Full SYSTEM-level code execution in Broadcom's Symantec IT Management Suite (ITMS) 8.7.3 is reachable by any non-administrator interactive user via a DCOM and Windows Task Scheduler logic chain, requiring no network access and no memory corruption. The attack is confined to the local host, meaning a standard user account with an interactive session on the ITMS server is sufficient to achieve unrestricted SYSTEM privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain interactive session on ITMS server
Exploit
Invoke crafted DCOM call or task definition
Execution
Exploit scheduler logic chain
Impact
Execute arbitrary code as SYSTEM

Vulnerability AssessmentAI

Exploitation Exploitation requires an interactive user session - local console or Remote Desktop (RDP) - on the Windows host running ITMS 8.7.3, held by a non-administrator account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 (Medium) materially understates the real-world significance of SYSTEM-level privilege escalation from a standard user account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a standard non-administrator Windows account on the ITMS 8.7.3 management server - via credential theft, phishing, or lateral movement from another host - establishes an interactive session through RDP. By invoking a crafted DCOM call or manipulating a task scheduler registration exposed by an ITMS service component, the attacker triggers the logic chain that causes code to execute under the SYSTEM account, granting unrestricted access to the host and, by extension, to the endpoint management infrastructure it controls. …
Remediation Consult Broadcom Security Advisory ID 37995 at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37995 for the official patch or hotfix targeting ITMS 8.7.3; the exact patched release version is not independently confirmed from the available data, so the advisory is the authoritative source for upgrade targets. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy