Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.
AnalysisAI
WinMatrix agent escalates privileges to SYSTEM without authentication, enabling authenticated local users to execute arbitrary code with full administrative control on both the local machine and all networked hosts where the agent is deployed. This environmental spread capability (CVSS scope change: H) transforms a local vulnerability into an enterprise-wide threat. Taiwan CERT issued advisories in January 2026 for versions 3.5.13 through 3.5.26.15. No public exploit identified at time of analysis, but CVSS 9.3 reflects catastrophic potential impact given the agent's privileged access and network propagation capability. EPSS data not available for new 2026 CVE.
Technical ContextAI
WinMatrix is an endpoint management agent developed by Simopro Technology, operating with SYSTEM-level privileges to perform administrative tasks across enterprise environments. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), meaning privileged operations within the agent lack proper authentication checks. The CVSS 4.0 vector confirms local attack vector (AV:L) but critically includes High impact to Subsequent system Confidentiality/Integrity/Availability (SC:H/SI:H/SA:H), indicating scope change - the attacker gains control beyond the initially compromised component. CPE identifies the vulnerable product as cpe:2.3:a:simopro_technology:winmatrix affecting versions 3.5.13 through 3.5.26.15 per EUVD data. Management agents typically expose APIs, IPC mechanisms, or configuration interfaces; missing authentication on these channels allows low-privileged users to inject commands that execute with the agent's SYSTEM context, then propagate through the agent's network communication pathways to other managed endpoints.
RemediationAI
Immediately upgrade WinMatrix agent to version 3.5.26.16 or later if available per vendor guidance, though specific patch version is not confirmed in TWCERT advisories - consult Simopro Technology support portal or contact vendor directly for validated patched release. Review TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10840-ba9b9-2.html for vendor-specific remediation instructions. Until patching completes, implement compensating controls with understanding of operational impact: restrict local interactive logon to WinMatrix-managed systems using Windows Group Policy or equivalent, limiting exposure to domain administrators only (reduces attacker pool but may disrupt legitimate user workflows); apply application control policies via AppLocker or similar to prevent unauthorized process execution in WinMatrix installation directories (may block legitimate administrative tools if misconfigured); enable aggressive process monitoring and EDR alerting for child processes spawned by WinMatrix agent service with SYSTEM privileges executing unexpected binaries; segment WinMatrix management network traffic using VLANs or firewall rules to contain potential lateral movement (requires network architecture changes and may break centralized management features). Audit all systems for unauthorized SYSTEM-level activity since deployment of vulnerable versions. Given the authentication bypass nature, network-level controls provide minimal protection - prioritize rapid patching over workarounds.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23163
GHSA-ppm7-9255-8gmf