Severity by source
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Mimecast Incydr before 2.6.0, arbitrary file access can occur.
AnalysisAI
Arbitrary file access in Mimecast Incydr versions before 2.6.0 exposes endpoints to unauthorized read and write operations against files outside the application's intended scope, rooted in incorrect permission assignments (CWE-732). The CVSS 3.1 Changed Scope indicator (S:C) confirms that exploitation can reach resources beyond the Incydr agent boundary - meaningful given that Incydr is itself an insider risk monitoring platform that may store sensitive activity logs and configuration on the endpoint. Mimecast has released version 2.6.0 as the fix; no public exploit identified at time of analysis.
Technical ContextAI
Mimecast Incydr is an endpoint-deployed insider risk management agent that monitors user behavior to detect data exfiltration and policy violations. CWE-732 (Incorrect Permission Assignment for Critical Resource) indicates that files or directories created or managed by the Incydr agent are assigned overly permissive or misconfigured access controls at the operating system level, enabling unintended access by local users or processes. The CPE string cpe:2.3:a:mimecast:incydr:*:*:*:*:*:*:*:* covers all versions of the Incydr application without platform qualifier, suggesting the flaw is present across supported deployment targets. The Changed Scope (S:C) in the CVSS vector is technically significant: it indicates the vulnerable component's security authority boundary is exceeded, meaning improperly permissioned files may belong to or affect a separate security domain - such as other users' data, system configuration, or the monitoring logs the agent itself collects.
RemediationAI
Vendor-released patch: Mimecast Incydr 2.6.0. Upgrade the Incydr endpoint agent to version 2.6.0 or later, which resolves the incorrect file permission assignment. The fix is confirmed in the Mimecast Insider Risk Agent release notes at https://mimecastsupport.zendesk.com/hc/en-us/articles/42665910976659-Insider-risk-agent-release-notes. If immediate patching is not feasible, apply the following compensating controls: restrict interactive local login accounts on systems running the Incydr agent to only essential personnel, reducing the attacker pool consistent with the AV:L requirement; audit and harden file system permissions on Incydr installation and data directories using OS-level access control tools (e.g., icacls on Windows, chmod/chown on Linux/macOS) to enforce least-privilege access; and enable file access auditing on Incydr-managed directories via endpoint detection tooling to detect unauthorized access attempts. Note that restricting local login access may affect helpdesk and IT administrative workflows and should be coordinated with operations teams.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34777
GHSA-6m3j-hq56-jq77