Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Incorrect Default Permissions in pcvisit service binary on Windows allows a low-privileged local attacker to escalate their privileges by overwriting the service binary with arbitrary contents. This service binary is automatically launched with NT\SYSTEM privileges on boot. This issue affects all versions after 22.6.22.1329 and was fixed in 25.12.3.1745.
AnalysisAI
Local privilege escalation in pcvisit Remote Host Modul on Windows allows low-privileged users to gain NT AUTHORITY\SYSTEM by overwriting the service binary with malicious code that executes automatically at boot. All versions after 22.6.22.1329 through 25.12.3.1745 are affected due to weak file permissions (CWE-276). Vendor patched in version 25.12.3.1745 per advisory. EPSS and KEV status unknown, but vulnerability is trivial to exploit (CVSS AV:L/AC:L/PR:L) with maximum local impact (8.5 High).
Technical ContextAI
This vulnerability stems from CWE-276 (Incorrect Default Permissions) in the pcvisit service binary installation on Windows. The service runs with NT AUTHORITY\SYSTEM privileges and starts automatically at boot, a common pattern for remote support software. However, the service binary file permissions are misconfigured, allowing low-privileged local users (PR:L) to modify or replace the executable. When Windows boots, the Service Control Manager launches this potentially attacker-modified binary with SYSTEM privileges, completing the privilege escalation. The affected product is pcvisit Remote Host Modul (CPE: cpe:2.3:a:pcvisit:pcvisit_remote_host_modul), a remote desktop/support solution commonly deployed in enterprise environments. This is a classic insecure file permissions vulnerability where the separation between user-writeable paths and privileged execution contexts breaks down.
RemediationAI
Upgrade pcvisit Remote Host Modul to version 25.12.3.1745 or later, which corrects the service binary file permissions. Download from vendor customer portal at https://www.pcvisit.de/kundenbereich/release-notes. If immediate patching is not feasible, implement these compensating controls: (1) Manually restrict NTFS permissions on the pcvisit service binary to System and Administrators groups only, removing write access for Users and Authenticated Users groups - verify with icacls command and note this may be reverted by software updates or reinstalls. (2) Enable Windows Defender Application Control or AppLocker policies to whitelist only the legitimate signed pcvisit binary hash, blocking execution of unsigned or modified versions - requires baseline hash inventory and will block the exploit but may impact legitimate updates. (3) Monitor file integrity of the service binary using SIEM or EDR tooling with alerts on modification - this is detective not preventive. Consult InfoGuard Labs advisory for technical validation steps: https://labs.infoguard.ch/advisories/cve-2026-0539_pcvisit_local-privilege-escalation/.
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24741
GHSA-327c-mq4q-4h9h