EUVD-2026-37681Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Local named-pipe access requires an authenticated low-priv session (AV:L, PR:L, AC:L); SYSTEM-level code execution yields full host compromise, so C:H/I:H/A:H within the same scope.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
1DescriptionCVE.org
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required.
AnalysisAI
Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an interactive, authenticated local session on a Windows host where the Quanos SCHEMA ST4 Client Update Service is installed and running with its default configuration (.NET Remoting endpoint bound to a local named pipe with TypeFilterLevel.Full); network-only exploitation is not possible per the vendor description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and indicate a high-severity but locally scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged interactive session on a host running SCHEMA ST4 (for example, a phishing foothold or a standard user on a multi-user workstation) connects to the local named pipe exposed by the Client Update Service, retrieves the .NET Remoting object reference, and sends a crafted serialized payload using a known BinaryFormatter gadget chain. Because the service runs with TypeFilterLevel.Full and as NT AUTHORITY\SYSTEM, deserialization triggers code execution at SYSTEM, granting full host takeover from a standard user account. … |
| Remediation | Patch status is not specified in the supplied input, so apply the most specific guidance available: consult the SEC-Consult advisory at https://r.sec-consult.com/quanos and the Quanos vendor advisory it references to identify and deploy the fixed SCHEMA ST4 release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all SCHEMA ST4 on-premises deployments and identify users with local system access; implement immediate restrictions on local logon privileges and remote desktop access to affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today