Skip to main content

Microsoft EUVDEUVD-2026-23116

| CVE-2026-22676 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-15 VulnCheck GHSA-g6hr-fwwc-8cg8
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 00:19 vuln.today
CVSS changed
Apr 15, 2026 - 21:22 NVD
7.8 (HIGH) 8.5 (HIGH)
EUVD ID Assigned
Apr 15, 2026 - 21:15 euvd
EUVD-2026-23116
Analysis Generated
Apr 15, 2026 - 21:15 vuln.today
Patch released
Apr 15, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 15, 2026 - 20:45 nvd
HIGH 8.5

DescriptionCVE.org

Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.

AnalysisAI

Local privilege escalation in Barracuda RMM (all versions prior to 2025.2.2) enables authenticated Windows users to execute arbitrary code as NT AUTHORITY\SYSTEM by writing malicious files to the insecurely-permissioned C:\Windows\Automation directory. Vendor-released patch version 2025.2.2 addresses the filesystem ACL misconfiguration. EPSS data unavailable; no confirmed active exploitation (not in CISA KEV), though VulnCheck public advisory increases likelihood of POC development. CVSS 8.5 reflects high local impact requiring only low-privileged authentication.

Technical ContextAI

Barracuda RMM is a remote monitoring and management platform for MSPs that uses automated agent-based tasks executed under high-privilege service accounts. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting the C:\Windows\Automation directory ACLs. This directory is used by the RMM agent's automation engine to store and execute scheduled tasks, scripts, and management payloads. Default Windows filesystem security should restrict write access to SYSTEM and Administrators, but the affected RMM versions grant excessive write permissions to lower-privileged users. The automation engine executes content from this directory under NT AUTHORITY\SYSTEM context during routine cycles without validating file integrity or origin, creating a classical DLL hijacking/script injection vector. CPE identifier cpe:2.3:a:barracuda_networks:rmm:*:*:*:*:*:*:*:* encompasses all RMM agent deployments on Windows endpoints managed through Barracuda MSP platform.

RemediationAI

Upgrade all Barracuda RMM agents to version 2025.2.2 or later, available from Barracuda MSP download portal per release notes at https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf. The patch corrects filesystem ACLs on C:\Windows\Automation to restrict write access appropriately. For environments requiring delayed patching, implement compensating controls: manually harden C:\Windows\Automation directory permissions via icacls /T /Q /C /reset and explicitly grant Modify rights only to SYSTEM and Administrators groups (side effect: may break RMM automation workflows if agents use non-privileged service accounts). Deploy filesystem integrity monitoring (FIM) on C:\Windows\Automation to alert on unauthorized file creation or modification events. Restrict local interactive logon rights on RMM-managed endpoints to trusted administrators via Group Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) to reduce attacker surface, though this limits legitimate administrative workflows. Audit existing automation scripts for tampering indicators prior to patch deployment. No workarounds fully mitigate risk without applying the vendor patch.

Share

EUVD-2026-23116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy