Skip to main content

Iperius Backup CVE-2026-4822

| EUVDEUVD-2026-16002 MEDIUM
Creation of Temporary File With Insecure Permissions (CWE-378)
2026-03-25 VulDB GHSA-f8vx-q848-4v5x
6.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 6.4 (MEDIUM)
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2026-16002
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:31 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability was detected in Enter Software Iperius Backup bis 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Iperius Backup 8.7.3 creates temporary files with insecure permissions in the Backup Service component, allowing local authenticated attackers to potentially escalate privileges or access sensitive data. The vulnerability requires local access and high attack complexity, but public exploit code exists. Upgrading to version 8.7.4 resolves the issue.

Technical ContextAI

The vulnerability affects Enter Software Iperius Backup (CPE: cpe:2.3:a:enter_software:iperius_backup:*:*:*:*:*:*:*:*) through version 8.7.3. It is classified under CWE-378 (Creation of Temporary File With Insecure Permissions), where the Backup Service component creates temporary files in C:\ProgramData\IperiusBackup\Jobs\ with permissions that allow unauthorized local users to read, modify, or leverage these files. This class of vulnerability typically arises when applications fail to properly restrict file permissions during temporary file creation, allowing lower-privileged users to access sensitive data or manipulate files to escalate privileges. The Windows-specific file path indicates this affects only Windows deployments of Iperius Backup.

RemediationAI

Upgrade Iperius Backup to version 8.7.4 or later immediately, available from https://www.iperiusbackup.com/download-software-backup.aspx. The vendor responded professionally and released a fixed version promptly. Until the upgrade can be applied, implement compensating controls such as restricting local access to the C:\ProgramData\IperiusBackup\Jobs\ directory through Windows file system ACLs to prevent lower-privileged users from accessing this location, and ensure only trusted administrators have local access to systems running Iperius Backup. Monitor the directory for unexpected file access or modification attempts. Review the detailed security advisory at https://github.com/0truust/iperius-backup-security-advisories/blob/main/advisories/arbitrary-file-disclosure.md for additional technical details.

Share

CVE-2026-4822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy