Skip to main content

ILM Informatique OpenConcerto CVE-2026-6499

| EUVDEUVD-2026-26969 LOW
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-04 TCS-CERT
2.4
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 14:30 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
2.4 (LOW)
EUVD ID Assigned
May 04, 2026 - 14:15 euvd
EUVD-2026-26969
Analysis Generated
May 04, 2026 - 14:15 vuln.today
CVE Published
May 04, 2026 - 14:08 nvd
LOW 2.4

DescriptionCVE.org

Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries.

This issue affects OpenConcerto: 1.7.5.

AnalysisAI

Incorrect permission assignment in OpenConcerto 1.7.5 enables local authenticated users with UI interaction to modify critical binary files, potentially allowing privilege escalation or persistent code execution through binary replacement. CVSS score of 2.4 (Low) reflects the local-only attack vector and requirement for user interaction, though the vulnerability creates a persistent integrity risk for affected deployments.

Technical ContextAI

OpenConcerto is an enterprise resource planning (ERP) and business management application. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating that executable binaries or critical runtime files are stored with overly permissive file permissions. This allows local users with valid credentials to directly modify binary files that should be protected from unauthorized writing. When the application later executes these modified binaries, attacker-controlled code runs with the application's privilege level, bypassing code signature verification or integrity checks.

RemediationAI

Upgrade to the latest patched version of OpenConcerto beyond 1.7.5; consult the vendor advisory at https://www.openconcerto.org/fr/version-1.7.html for available updates and security releases. If patching is delayed, restrict file system permissions on OpenConcerto binary directories to read-only for non-administrative users using OS-level access controls (chmod 755 on Unix/Linux, restricted ACLs on Windows). Limit local system access to OpenConcerto installations to trusted users only; audit and disable unnecessary local user accounts. Implement file integrity monitoring (FIM) on OpenConcerto application directories to detect unauthorized binary modifications. Note that file permission restrictions may impact upgrade or maintenance workflows requiring write access, necessitating temporary privilege elevation with strong audit logging.

Share

CVE-2026-6499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy