Skip to main content

Lakeside SysTrack Agent EUVDEUVD-2026-33066

| CVE-2026-39929 HIGH
Out-of-bounds Read (CWE-125)
2026-05-28 VulnCheck GHSA-96w5-xvg7-p24r
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 28, 2026 - 22:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 22:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 28, 2026 - 21:51 vuln.today

DescriptionCVE.org

Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service.

AnalysisAI

Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.

Technical ContextAI

Lakeside SysTrack is a digital experience monitoring platform widely deployed across enterprise endpoints, and the affected component is the lsiagent.exe Windows agent process that listens for UDP control messages. The root cause is CWE-125 (Out-of-bounds Read): the Command ID 30 UDP packet handler dereferences a pointer constructed from attacker-controlled bytes at payload offset 0x4 without validating that the resulting address points to mapped memory, producing an access violation. Because the parsing happens in the UDP receive path before any session or authentication state is established, the crash is reachable from anyone who can route a packet to the agent's listening port.

RemediationAI

Apply the vendor-released patch for the deployed branch by upgrading the SysTrack Agent to 11.2.1.28, 11.3.0.38, 11.4.0.24, or 11.5.0.15 (or later) as documented in the Lakeside hotfix release notes linked from documentation.lakesidesoftware.com. Where immediate patching across the fleet is not feasible, restrict inbound UDP traffic to the lsiagent.exe listening port at the host firewall or network segmentation layer so only the SysTrack master servers can reach agents - note that overly tight filtering may break legitimate command-and-control telemetry between the master and agents and should be validated against the deployment's master-server addresses. Monitoring for repeated lsiagent.exe crash events in the Windows Application log or for unexpected UDP traffic to the agent port provides additional detection coverage until patches are fully rolled out.

Share

EUVD-2026-33066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy