Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.
AnalysisAI
Local privilege escalation in Barracuda RMM (all versions prior to 2025.2.2) enables authenticated Windows users to execute arbitrary code as NT AUTHORITY\SYSTEM by writing malicious files to the insecurely-permissioned C:\Windows\Automation directory. Vendor-released patch version 2025.2.2 addresses the filesystem ACL misconfiguration. EPSS data unavailable; no confirmed active exploitation (not in CISA KEV), though VulnCheck public advisory increases likelihood of POC development. CVSS 8.5 reflects high local impact requiring only low-privileged authentication.
Technical ContextAI
Barracuda RMM is a remote monitoring and management platform for MSPs that uses automated agent-based tasks executed under high-privilege service accounts. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting the C:\Windows\Automation directory ACLs. This directory is used by the RMM agent's automation engine to store and execute scheduled tasks, scripts, and management payloads. Default Windows filesystem security should restrict write access to SYSTEM and Administrators, but the affected RMM versions grant excessive write permissions to lower-privileged users. The automation engine executes content from this directory under NT AUTHORITY\SYSTEM context during routine cycles without validating file integrity or origin, creating a classical DLL hijacking/script injection vector. CPE identifier cpe:2.3:a:barracuda_networks:rmm:*:*:*:*:*:*:*:* encompasses all RMM agent deployments on Windows endpoints managed through Barracuda MSP platform.
RemediationAI
Upgrade all Barracuda RMM agents to version 2025.2.2 or later, available from Barracuda MSP download portal per release notes at https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf. The patch corrects filesystem ACLs on C:\Windows\Automation to restrict write access appropriately. For environments requiring delayed patching, implement compensating controls: manually harden C:\Windows\Automation directory permissions via icacls /T /Q /C /reset and explicitly grant Modify rights only to SYSTEM and Administrators groups (side effect: may break RMM automation workflows if agents use non-privileged service accounts). Deploy filesystem integrity monitoring (FIM) on C:\Windows\Automation to alert on unauthorized file creation or modification events. Restrict local interactive logon rights on RMM-managed endpoints to trusted administrators via Group Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) to reduce attacker surface, though this limits legitimate administrative workflows. Audit existing automation scripts for tampering indicators prior to patch deployment. No workarounds fully mitigate risk without applying the vendor patch.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23116
GHSA-g6hr-fwwc-8cg8