Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the explicit 'intimate knowledge and total control over the tunnel protocol' prerequisite; A:L reflects non-persistent, self-recovering DoS only.
Primary rating from Vendor (Absolute).
CVSS VectorVendor: Absolute
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
CVE-2026-33444 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.
AnalysisAI
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker possess 'intimate knowledge of' the Absolute Secure Access tunnel protocol - implying non-trivial reverse engineering or insider access to protocol specifications - AND exercise 'total control over' the tunnel protocol traffic, meaning either a man-in-the-middle position on the network path or ability to operate a fully controlled client endpoint that can send arbitrary protocol messages. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N) scores 6.9 and indicates a network-accessible, low-complexity, unauthenticated attack with only low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A sophisticated attacker who has established a man-in-the-middle position on the network path between a legitimate client and the Secure Access server - or who controls a malicious client with deep knowledge of the tunnel protocol wire format - crafts a sequence of specially malformed tunnel protocol messages that trigger the memory management flaw in the server. The server's availability is disrupted, dropping active sessions and denying access to remote users, before the server recovers without persistent damage. … |
| Remediation | Upgrade Absolute Secure Access server to version 14.55 or later, which is the patched release indicated by the 'prior to 14.55' boundary in the vulnerability description. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Secure Access
View allPersistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44799