Skip to main content

Absolute Secure Access CVE-2026-33444

| EUVDEUVD-2026-44799 MEDIUM
2026-07-15 Absolute
6.9
CVSS 4.0 · Vendor: Absolute
Share

Severity by source

Vendor (Absolute) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H reflects the explicit 'intimate knowledge and total control over the tunnel protocol' prerequisite; A:L reflects non-persistent, self-recovering DoS only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 21:01 vuln.today

DescriptionCVE.org

CVE-2026-33444 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.

AnalysisAI

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain man-in-the-middle or client control
Delivery
Acquire intimate knowledge of tunnel protocol
Exploit
Craft malformed tunnel protocol messages
Execution
Trigger server-side memory management flaw
Impact
Cause non-persistent server DoS, dropping active sessions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possess 'intimate knowledge of' the Absolute Secure Access tunnel protocol - implying non-trivial reverse engineering or insider access to protocol specifications - AND exercise 'total control over' the tunnel protocol traffic, meaning either a man-in-the-middle position on the network path or ability to operate a fully controlled client endpoint that can send arbitrary protocol messages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N) scores 6.9 and indicates a network-accessible, low-complexity, unauthenticated attack with only low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A sophisticated attacker who has established a man-in-the-middle position on the network path between a legitimate client and the Secure Access server - or who controls a malicious client with deep knowledge of the tunnel protocol wire format - crafts a sequence of specially malformed tunnel protocol messages that trigger the memory management flaw in the server. The server's availability is disrupted, dropping active sessions and denying access to remote users, before the server recovers without persistent damage. …
Remediation Upgrade Absolute Secure Access server to version 14.55 or later, which is the patched release indicated by the 'prior to 14.55' boundary in the vulnerability description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

CVE-2024-37343 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio

Share

CVE-2026-33444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy