EUVD-2026-37682Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Local low-priv user invokes a SYSTEM-owned named-pipe service with no auth checks, gaining arbitrary file write/delete and thus full host compromise (C/I/A:H).
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
1DescriptionCVE.org
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
AnalysisAI
Local privilege escalation in Quanos SCHEMA ST4 on-premises allows low-privileged authenticated Windows users to obtain SYSTEM-level code execution by abusing the Client Update Service. The service exposes a .NET Remoting endpoint over a named pipe with missing authorization checks (CWE-862), letting any local user invoke privileged Update() methods that perform arbitrary file write/delete as NT AUTHORITY\SYSTEM. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Windows host has the Quanos SCHEMA ST4 on-premises client installed with the Client Update Service running as NT AUTHORITY\SYSTEM and its .NET Remoting named-pipe endpoint active (default behavior of the affected installer). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) yielding 8.4 (High) is internally consistent with the description: local attack vector, low complexity, low privileges, no user interaction, and high confidentiality/integrity impact via SYSTEM-level file primitives. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard domain user logged into a shared Windows workstation that has the SCHEMA ST4 authoring client installed opens a connection to the local named-pipe .NET Remoting endpoint exposed by the Client Update Service, binds to the server-activated object, and calls Update() with attacker-controlled source and destination paths. The service, running as SYSTEM, writes a malicious DLL into a directory loaded by a privileged process (or overwrites a service binary), and the attacker triggers it to obtain SYSTEM, completing local privilege escalation. … |
| Remediation | Patch status is unclear from the supplied data, so treat this as: no vendor-released patch independently confirmed at time of analysis - check the SEC Consult coordinated-disclosure advisory at https://r.sec-consult.com/quanos and the Quanos customer portal for a fixed Client Update Service build and apply it as soon as available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Document all systems running Quanos SCHEMA ST4; restrict local logon rights to administrative accounts only on systems containing sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today