Which versions of AVACAST are affected by CVE-2026-7280?

AVACAST by eMPIA Technology contains an unquoted service path vulnerability (CVE-2026-7280, CVSS 8.4) that allows administrators with existing system access to escalate privileges to SYSTEM level by…

AVACAST CVE-2026-7280

Q: What is the CVSS score of CVE-2026-7280?

CVE-2026-7280 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26029 HIGH

Unquoted Search Path or Element (CWE-428)

2026-04-28 twcert

RCE

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 10:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 28, 2026 - 10:22 vuln.today

cvss_changed

Severity Changed

Apr 28, 2026 - 10:22 NVD

MEDIUM HIGH

CVSS changed

Apr 28, 2026 - 10:22 NVD

6.7 (MEDIUM) 8.4 (HIGH)

Analysis Generated

Apr 28, 2026 - 10:15 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 10:00 euvd

EUVD-2026-26029

Analysis Generated

Apr 28, 2026 - 10:00 vuln.today

CVE Published

Apr 28, 2026 - 09:46 nvd

HIGH 8.4

DescriptionNVD

AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.

AnalysisAI

Unquoted service path vulnerability in AVACAST by eMPIA Technology enables local privilege escalation from high-privileged user to SYSTEM. Attackers with administrative access can plant malicious executables in unquoted paths, achieving arbitrary code execution with system-level privileges upon service restart. …

RemediationAI

Within 24 hours: Inventory all systems running AVACAST and document current version; restrict administrative access to systems running this product where operationally feasible. Within 7 days: Contact eMPIA Technology for patch status and timeline; implement compensating controls per vendor guidance; audit administrative access logs for suspicious service restart activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7280 vulnerability details – vuln.today

Back

AVACAST CVE-2026-7280

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

AVACAST CVE-2026-7280

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code