Skip to main content

Pupsman CVE-2026-57895

| EUVDEUVD-2026-42166 HIGH
Incorrect Default Permissions (CWE-276)
2026-07-08 jpcert GHSA-36rv-fhqc-2cfg
8.5
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local vector and low-privileged foothold required (AV:L, PR:L), no user interaction and low complexity, with full SYSTEM-level C/I/A impact; scope unchanged as the service runs on the same OS.

3.1 AV:L/AC:L/PR:L/UI:N/S:N/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:23 vuln.today
CVSS changed
Jul 08, 2026 - 06:22 NVD
7.8 (HIGH) 8.5 (HIGH)

DescriptionCVE.org

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege

AnalysisAI

Local privilege escalation to SYSTEM in Fuji Electric Pupsman before version 3.9.0 allows a low-privileged local user to drop a malicious executable into the weakly-permissioned installation directory, which is then run with SYSTEM privileges for full arbitrary code execution. Reported through JPCERT/CC (JVN JVN62347140); no public exploit identified and no active exploitation is confirmed at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local account
Delivery
Write malicious executable to install folder
Exploit
SYSTEM service launches planted binary
Execution
Execute arbitrary code as SYSTEM
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation The attacker must already have local, low-privileged access to a Windows host running Pupsman prior to 3.9.0 (PR:L, AV:L) - there is no remote or network path and no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H) describes a locally-exploitable, low-complexity flaw that requires the attacker to already hold a low-privileged foothold but grants total system compromise on success - a classic high-value privilege-escalation primitive rather than a remotely wormable bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard (non-admin) user or a piece of malware already running with limited privileges on a Windows host writes a malicious executable into the writable Pupsman installation folder, replacing or adding a binary that the SYSTEM-level service or a scheduled task subsequently launches. On next execution - a reboot, service restart, or timed run - the attacker's code runs as SYSTEM, yielding full host takeover. …
Remediation Vendor-released patch: upgrade Pupsman to version 3.9.0 or later, which corrects the installation-folder permissions; download and advisory details are on the Fuji Electric page (https://www.fujielectric.co.jp/products/power_supply/ups/product_detail/software_pupsman.html) and JVN (https://jvn.jp/en/jp/JVN62347140/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all systems running Fuji Electric Pupsman to identify version numbers and deployment scope; immediately restrict file permissions on Pupsman installation directories to prevent unauthorized executable creation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy