Skip to main content

AVACAST EUVDEUVD-2026-26029

| CVE-2026-7280 HIGH
Unquoted Search Path or Element (CWE-428)
2026-04-28 twcert
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 28, 2026 - 10:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 10:22 vuln.today
cvss_changed
Severity Changed
Apr 28, 2026 - 10:22 NVD
MEDIUM HIGH
CVSS changed
Apr 28, 2026 - 10:22 NVD
6.7 (MEDIUM) 8.4 (HIGH)
Analysis Generated
Apr 28, 2026 - 10:15 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 10:00 euvd
EUVD-2026-26029
Analysis Generated
Apr 28, 2026 - 10:00 vuln.today
CVE Published
Apr 28, 2026 - 09:46 nvd
HIGH 8.4

DescriptionCVE.org

AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a specific directory, resulting in arbitrary code execution with system privileges when the AVACAST service starts.

AnalysisAI

Unquoted service path vulnerability in AVACAST by eMPIA Technology enables local privilege escalation from high-privileged user to SYSTEM. Attackers with administrative access can plant malicious executables in unquoted paths, achieving arbitrary code execution with system-level privileges upon service restart. Taiwan CERT (TWCERT) published advisories confirming the vulnerability. No public exploit code identified at time of analysis, and exploitation requires existing administrative privileges, limiting practical risk to environments where privileged user compromise is a concern.

Technical ContextAI

The vulnerability affects AVACAST, a software product developed by eMPIA Technology, identified by CPE cpe:2.3:a:empia_technology:avacast. The issue is classified as CWE-428 (Unquoted Search Path or Element), a Windows-specific weakness where service paths containing spaces are not properly quoted in the registry. When Windows starts a service with an unquoted path like 'C:\Program Files\AVACAST\service.exe', the system searches for executables in multiple locations: first 'C:\Program.exe', then 'C:\Program Files\AVACAST.exe', before the intended target. An attacker with write access to these intermediate directories can plant malicious executables that execute with the service's privileges (typically SYSTEM). This is a well-understood attack vector in Windows environments that has affected numerous products over the years.

RemediationAI

Contact eMPIA Technology directly for patch availability, referencing TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10885-02d83-2.html for vendor coordination details. No vendor-released patch version is independently confirmed in available data at time of analysis. As an immediate workaround, administrators can manually quote the AVACAST service path in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, modifying the ImagePath value to enclose the executable path in double quotes. This requires registry editing (regedit.exe), creating a restore point beforehand, and restarting the service after modification. Additionally, implement file system access controls to prevent non-SYSTEM users from writing to directories in the service path (e.g., C:\Program Files\), though this should already be default Windows behavior and indicates potential broader security misconfigurations if writable by standard administrators. Audit all services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^".+"' -and $_.PathName -match ' '} | Select Name, PathName.

Share

EUVD-2026-26029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy