Skip to main content

pcvisit Remote Host EUVDEUVD-2026-24741

| CVE-2026-0539 HIGH
Incorrect Default Permissions (CWE-276)
2026-04-22 NCSC.ch GHSA-327c-mq4q-4h9h
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:58 vuln.today
CVSS changed
Apr 22, 2026 - 14:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 14:00 euvd
EUVD-2026-24741
Analysis Generated
Apr 22, 2026 - 14:00 vuln.today
CVE Published
Apr 22, 2026 - 13:02 nvd
HIGH 8.5

DescriptionCVE.org

Incorrect Default Permissions in pcvisit service binary on Windows allows a low-privileged local attacker to escalate their privileges by overwriting the service binary with arbitrary contents. This service binary is automatically launched with NT\SYSTEM privileges on boot. This issue affects all versions after 22.6.22.1329 and was fixed in 25.12.3.1745.

AnalysisAI

Local privilege escalation in pcvisit Remote Host Modul on Windows allows low-privileged users to gain NT AUTHORITY\SYSTEM by overwriting the service binary with malicious code that executes automatically at boot. All versions after 22.6.22.1329 through 25.12.3.1745 are affected due to weak file permissions (CWE-276). Vendor patched in version 25.12.3.1745 per advisory. EPSS and KEV status unknown, but vulnerability is trivial to exploit (CVSS AV:L/AC:L/PR:L) with maximum local impact (8.5 High).

Technical ContextAI

This vulnerability stems from CWE-276 (Incorrect Default Permissions) in the pcvisit service binary installation on Windows. The service runs with NT AUTHORITY\SYSTEM privileges and starts automatically at boot, a common pattern for remote support software. However, the service binary file permissions are misconfigured, allowing low-privileged local users (PR:L) to modify or replace the executable. When Windows boots, the Service Control Manager launches this potentially attacker-modified binary with SYSTEM privileges, completing the privilege escalation. The affected product is pcvisit Remote Host Modul (CPE: cpe:2.3:a:pcvisit:pcvisit_remote_host_modul), a remote desktop/support solution commonly deployed in enterprise environments. This is a classic insecure file permissions vulnerability where the separation between user-writeable paths and privileged execution contexts breaks down.

RemediationAI

Upgrade pcvisit Remote Host Modul to version 25.12.3.1745 or later, which corrects the service binary file permissions. Download from vendor customer portal at https://www.pcvisit.de/kundenbereich/release-notes. If immediate patching is not feasible, implement these compensating controls: (1) Manually restrict NTFS permissions on the pcvisit service binary to System and Administrators groups only, removing write access for Users and Authenticated Users groups - verify with icacls command and note this may be reverted by software updates or reinstalls. (2) Enable Windows Defender Application Control or AppLocker policies to whitelist only the legitimate signed pcvisit binary hash, blocking execution of unsigned or modified versions - requires baseline hash inventory and will block the exploit but may impact legitimate updates. (3) Monitor file integrity of the service binary using SIEM or EDR tooling with alerts on modification - this is detective not preventive. Consult InfoGuard Labs advisory for technical validation steps: https://labs.infoguard.ch/advisories/cve-2026-0539_pcvisit_local-privilege-escalation/.

Share

EUVD-2026-24741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy