Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack by an authenticated low-priv user (AV:L/PR:L); requires a higher-privileged user to run the trojanized binary (UI:R); full CIA impact on the host once executed.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.
AnalysisAI
Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local interactive or remote-shell access to a Windows host with ArubaSign < 4.6.6 installed under C:\Program Files using the default installer-set ACLs (which grant 'Everyone' write access). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:P, base 8.8) accurately reflects a local attack that needs no prior privileges but does require a higher-privileged user to subsequently run the tampered binary (UI:P, AT:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a shared Windows workstation, a standard-user attacker overwrites C:\Program Files\ArubaSign\ArubaSign.exe with a malicious binary that drops a backdoor and then chain-loads the legitimate code. When a domain administrator later launches ArubaSign to sign a document, the planted payload executes in the admin's context, yielding SYSTEM-level control after a routine UAC elevation. … |
| Remediation | Vendor-released patch: ArubaSign v4.6.6 - upgrade all installations to this version or later, which corrects the installer ACLs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running ArubaSign prior to v4.6.6; prioritize systems with high-value data or sensitive access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-276 – Incorrect Default Permissions
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38230
GHSA-58j4-vm73-hgvh