Skip to main content

Acer NitroSense EUVDEUVD-2026-32700

| CVE-2026-9789 HIGH
Path Traversal (CWE-22)
2026-05-28 Acer GHSA-pcjv-vg43-2hf7
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 03:25 vuln.today
CVSS changed
May 28, 2026 - 03:22 NVD
8.5 (HIGH)

DescriptionCVE.org

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority.

AnalysisAI

Local privilege escalation in Acer NitroSense software versions prior to 3.01.3052 allows any authenticated local user to delete arbitrary files with SYSTEM authority by abusing a weakly-ACL'd Named Pipe exposed by the PSAdminAgent service. No public exploit has been identified at time of analysis, but the issue was disclosed by Acer themselves and a patched version is available.

Technical ContextAI

NitroSense is Acer's pre-installed performance/thermal management utility shipped on Nitro-series gaming laptops, with PSAdminAgent running as a high-privilege Windows service to perform administrative actions on behalf of the user-mode UI. The service uses a Windows Named Pipe for IPC but applies a permissive Discretionary Access Control List that grants connection rights to any authenticated user rather than restricting access to administrators or the UI process itself. This maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) because the privileged file-deletion command handler accepts caller-supplied paths and executes them under the SYSTEM token without authorization checks or path normalization, enabling path traversal to delete files outside any intended scope.

RemediationAI

Apply the vendor-released patch by upgrading Acer NitroSense to version 3.01.3052 or later, available via the Acer support advisory at https://community.acer.com/en/kb/articles/19670 (typically distributed through the NitroSense auto-updater or Acer Care Center). If immediate patching is not possible, compensating controls include stopping and disabling the PSAdminAgent Windows service (which removes the vulnerable Named Pipe but disables NitroSense's privileged actions such as fan control and performance profile switching), uninstalling NitroSense entirely on fleets that do not require its functionality, or restricting interactive logon to trusted accounts only since exploitation requires an authenticated local session. Endpoint protection rules can also be tuned to alert on non-NitroSense processes opening handles to the PSAdminAgent pipe as a detection-side mitigation.

Share

EUVD-2026-32700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy