Skip to main content

ArubaSign EUVDEUVD-2026-38230

| CVE-2026-12602 HIGH
Incorrect Default Permissions (CWE-276)
2026-06-22 INCIBE GHSA-58j4-vm73-hgvh
8.8
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
8.8 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local attack by an authenticated low-priv user (AV:L/PR:L); requires a higher-privileged user to run the trojanized binary (UI:R); full CIA impact on the host once executed.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 15:02 EUVD
Analysis Generated
Jun 22, 2026 - 14:01 vuln.today

DescriptionCVE.org

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.

AnalysisAI

Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv local logon
Delivery
Locate ArubaSign install path
Exploit
Overwrite executable with malicious binary
Execution
Wait for admin to launch ArubaSign
Persist
Payload executes as Administrator/SYSTEM
Impact
Establish persistence and full host control

Vulnerability AssessmentAI

Exploitation Requires local interactive or remote-shell access to a Windows host with ArubaSign < 4.6.6 installed under C:\Program Files using the default installer-set ACLs (which grant 'Everyone' write access). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:P, base 8.8) accurately reflects a local attack that needs no prior privileges but does require a higher-privileged user to subsequently run the tampered binary (UI:P, AT:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a shared Windows workstation, a standard-user attacker overwrites C:\Program Files\ArubaSign\ArubaSign.exe with a malicious binary that drops a backdoor and then chain-loads the legitimate code. When a domain administrator later launches ArubaSign to sign a document, the planted payload executes in the admin's context, yielding SYSTEM-level control after a routine UAC elevation. …
Remediation Vendor-released patch: ArubaSign v4.6.6 - upgrade all installations to this version or later, which corrects the installer ACLs. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running ArubaSign prior to v4.6.6; prioritize systems with high-value data or sensitive access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy