Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-privileged attacker (AV:L/PR:L); the writable-path/timing precondition maps to AC:H; success yields full SYSTEM control, so C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (hp).
CVSS VectorVendor: hp
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The HP Fan Control App might allow local escalation of privileges. An updated version of HP Fan Control App has been released to mitigate this potential vulnerability.
AnalysisAI
Local privilege escalation in the HP Fan Control App lets a low-privileged local user gain SYSTEM/administrator-level execution on affected HP endpoints. The flaw stems from CWE-428 (Unquoted Search Path or Element), a classic Windows weakness where a privileged service or process resolves an executable or library from an attacker-controllable path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a low-privileged local account on a machine with the vulnerable HP Fan Control App installed (PR:L, AV:L) - there is no remote or network path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and internally consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard (non-admin) user on a shared HP workstation plants a malicious executable or DLL in a user-writable directory that lies within the privileged Fan Control component's resolution path, then waits for or triggers the service start (reboot, login, or service restart). When the privileged process resolves the unquoted path or insecure search order, it loads and runs the attacker's payload as SYSTEM, yielding full local administrator control. … |
| Remediation | Apply the updated HP Fan Control App that HP has released to mitigate this issue; the exact fixed version is not stated in the provided data, so consult HP advisory HPSBHF04122 at https://support.hp.com/us-en/document/ish_15217742-15217770-16/hpsbhf04122 for the precise patched version and obtain it through HP Support Assistant or the HP software download portal. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct asset inventory to identify all HP endpoints with Fan Control App installed and map local user access levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-428 – Unquoted Search Path or Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40368
GHSA-p9w6-48xr-5r6q