Skip to main content

Iperius Backup EUVD-2026-17966

| CVE-2026-5310 LOW
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-01 VulDB GHSA-m24f-g88m-9r7h
Information Disclosure Iperius Backup
1.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.1 LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 29, 2026 - 01:11 NVD
2.0 (LOW) 1.1 (LOW)
PoC Detected
Apr 03, 2026 - 16:10 vuln.today
Public exploit code
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17966
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
Patch released
Apr 01, 2026 - 17:30 nvd
Patch available
CVE Published
Apr 01, 2026 - 16:30 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key . The attack must be carried out locally. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is publicly available and might be used. Upgrading to version 8.7.4 will fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Iperius Backup versions up to 8.7.2 use a hard-coded cryptographic key for IperiusAccounts.ini file encryption, allowing local authenticated attackers with low privileges to decrypt stored credentials and extract sensitive account information. The vulnerability requires high attack complexity and local access, resulting in a CVSS 2.0 score with low confidentiality impact; a publicly available proof-of-concept exploit exists, and vendor-released patch version 8.7.4 fixes the issue.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents low real-world risk despite the existence of publicly available exploit code. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated local user with low privileges on a system running Iperius Backup 8.7.2 obtains the hard-coded cryptographic key from the application binary or public advisory sources, then uses the publicly available Python proof-of-concept script (available at https://github.com/VulnaraByte/iperius-backup-security-advisories/blob/main/poc/decrypt_iperius.py) to decrypt the IperiusAccounts.ini file and extract stored credentials for cloud backup services, on-premises servers, or other integrated systems. The attacker can then pivot to those external systems using the compromised credentials, escalating their capabilities beyond the local system.
Remediation Vendor-released patch: Upgrade Iperius Backup to version 8.7.4 or later, which replaces the hard-coded cryptographic key with a properly derived encryption mechanism. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-17966 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy