Skip to main content

Gigabyte Control Center CVE-2026-4415

| EUVDEUVD-2026-17069 CRITICAL
Relative Path Traversal (CWE-23)
2026-03-30 twcert
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 08:15 euvd
EUVD-2026-17069
Analysis Generated
Mar 30, 2026 - 08:15 vuln.today
CVE Published
Mar 30, 2026 - 07:36 nvd
CRITICAL 9.2

DescriptionCVE.org

Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.

AnalysisAI

Remote code execution and privilege escalation in Gigabyte Control Center allows unauthenticated network attackers to write arbitrary files to any system location when the pairing feature is enabled. This path traversal vulnerability (CWE-23) requires high attack complexity but needs no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by Taiwan CERT provide sufficient information for exploitation development. CVSS 8.1 (High) reflects significant impact across confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability stems from insufficient path validation (CWE-23: Relative Path Traversal) in Gigabyte Control Center's pairing feature implementation. When enabled, this utility software for managing Gigabyte hardware components accepts file write requests over the network without proper sanitization of file paths. Attackers can use directory traversal sequences (e.g., '../') to escape intended directories and write files to arbitrary locations including system directories, startup folders, or service executable paths. The affected product is Gigabyte Control Center (CPE: cpe:2.3:a:gigabyte:gigabyte_control_center), a vendor-supplied management utility commonly bundled with Gigabyte motherboards and graphics cards. The pairing feature likely enables synchronization or remote management capabilities between devices, creating a network-exposed attack surface. The high attack complexity (AC:H) suggests exploitation requires specific timing, environmental conditions, or multi-step procedures beyond simply sending malformed requests.

RemediationAI

Organizations should immediately disable the pairing feature in Gigabyte Control Center if not operationally required, eliminating the network attack surface. Contact Gigabyte Technology directly or monitor their official security advisory channels for patch availability and specific affected version identification, as no vendor-released patch version was independently confirmed in current intelligence sources. Review system logs for unexpected file modifications in system directories, startup folders, or service paths that could indicate exploitation attempts. Implement network segmentation to restrict access to systems running Gigabyte Control Center from untrusted networks. Consider uninstalling Gigabyte Control Center entirely if the utility is not essential for hardware management operations. Refer to Taiwan CERT advisories at https://www.twcert.org.tw/en/cp-139-10804-689cd-2.html for additional technical guidance and potential indicators of compromise. Monitor Gigabyte's official support portal for updates on patched versions and apply them immediately upon release.

Share

CVE-2026-4415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy