Skip to main content

Idira Endpoint Privilege Manager CVE-2026-45175

| EUVDEUVD-2026-36304 HIGH
Improper Certificate Validation (CWE-295)
2026-06-11 palo_alto GHSA-3jgm-qfwg-p235
8.5
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vuln.today AI
7.0 HIGH

Local authenticated user (AV:L/PR:L); description's 'specific circumstances' for the cryptographic-check bypass justifies AC:H; full compromise of the agent yields C/I/A:H with no scope change.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 21:02 EUVD
Analysis Generated
Jun 11, 2026 - 20:23 vuln.today

DescriptionCVE.org

Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to circumvent agent self-defense mechanisms and execute unauthorized operations. CyberArk Security Bulletin: CA26-19

AnalysisAI

Local privilege escalation and self-defense bypass in CyberArk (Palo Alto Networks) Idira Endpoint Privilege Manager Agent versions prior to 26.5 allows an authenticated local attacker to circumvent internal cryptographic validation and agent tamper-protection controls. Successful exploitation lets the attacker disable EPM enforcement and execute unauthorized operations on the endpoint, undermining the very privilege-management protections the product is meant to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The affected component is the Idira Endpoint Privilege Manager agent (CPE cpe:2.3:a:cyberark_software,_a_palo_alto_networks_company:idira_endpoint_privilege_manager), an endpoint agent that enforces least-privilege, application control, and self-defense on Windows, macOS, and Linux hosts. CWE-295 (Improper Certificate Validation) indicates that internal validation logic - likely signature, certificate, or token checks used between agent components or between the agent and trusted callers - does not properly verify cryptographic trust, so a local actor able to interact with these internal interfaces can present forged or unverified material and be treated as legitimate. Because the broken check guards self-defense and integrity routines, bypassing it neutralizes the controls the agent itself relies on to resist tampering.

RemediationAI

Vendor-released patch: Idira Endpoint Privilege Manager Agent 26.5 - upgrade all Windows, macOS, and Linux endpoints to 26.5 or later per the release notes linked from CyberArk Security Bulletin CA26-19 (https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-windows.htm#Version2650 and the macOS/Linux equivalents). No vendor workaround is published; until agents are upgraded, compensating controls include tightening EPM policy to deny interactive logon and shell/script execution for non-admin users on sensitive hosts (reduces the population of local attackers who can reach the vulnerable interface, at the cost of usability), monitoring EDR/SIEM telemetry for EPM service stops, driver unloads, or tamper events that indicate self-defense bypass, and enforcing application-control allow-lists outside EPM (e.g. WDAC, Gatekeeper, SELinux) so that disabling the agent does not immediately grant arbitrary code execution.

Share

CVE-2026-45175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy