Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local escalation by an already-authenticated low-privileged user (AV:L, PR:L), no interaction, yielding full SYSTEM control of the host (C/I/A:H, scope unchanged).
Primary rating from Vendor (de5a6978-88fe-4c27-a7df-d0d5b52d5b52).
CVSS VectorVendor: de5a6978-88fe-4c27-a7df-d0d5b52d5b52
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Omnissa Workspace ONE® Tunnel for Windows addresses a Local Privilege Escalation Vulnerability.
AnalysisAI
Local privilege escalation in Omnissa Workspace ONE Tunnel for Windows lets an authenticated low-privileged local user abuse a path-traversal weakness (CWE-22) to gain higher (likely SYSTEM) privileges on the endpoint. The flaw affects the Windows Tunnel client used for per-app VPN in Workspace ONE managed fleets; no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold local, low-privileged authenticated access (CVSS PR:L, AV:L) on a Windows endpoint where the Omnissa Workspace ONE Tunnel client for Windows is installed and running as a privileged service; no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) describes a locally exploitable, low-complexity flaw requiring existing low-level privileges and no user interaction, with high impact to all three security properties - internally consistent with a local privilege-escalation primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has a standard low-privileged account or code execution on a Windows device running Workspace ONE Tunnel supplies a crafted file path that escapes the intended directory, causing the privileged Tunnel service to write or overwrite a file it should not. By redirecting that write to a location loaded or executed by SYSTEM, the attacker escalates from a normal user to full system privileges; no public POC is currently identified. |
| Remediation | Patch available per vendor advisory: update Omnissa Workspace ONE Tunnel for Windows to the fixed release identified in OMSA-2026-0002 (https://www.omnissa.com/omsa-2026-0002); the exact patched version is not specified in the available data and must be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Windows Omnissa Workspace ONE Tunnel installations and document affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42242
GHSA-7c7j-678j-gcch