Skip to main content

Absolute Secure Access EUVDEUVD-2026-44803

| CVE-2026-55398 MEDIUM
2026-07-15 Absolute
6.9
CVSS 4.0 · Vendor: Absolute
Share

Severity by source

Vendor (Absolute) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H reflects the requirement for intimate protocol knowledge and tunnel control; impact is non-persistent availability-only, so A:L with C:N and I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 21:03 vuln.today

DescriptionCVE.org

CVE-2026-55398 is a memory management vulnerability in Secure Access clients and servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.

AnalysisAI

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Achieve tunnel control or MITM position
Delivery
Reverse-engineer proprietary tunnel protocol
Exploit
Craft malformed memory-triggering tunnel message
Execution
Transmit crafted message to server endpoint
Persist
Trigger server-side memory management flaw
Impact
Server enters non-persistent DoS state

Vulnerability AssessmentAI

Exploitation Exploitation requires two highly specific preconditions that substantially limit attacker population in practice: (1) 'intimate knowledge of' the proprietary Absolute Secure Access tunnel protocol - implying significant reverse-engineering effort, insider knowledge, or access to proprietary protocol documentation - and (2) 'total control over' the tunnel protocol communication, suggesting either a man-in-the-middle position on the VPN channel, a controlled or compromised client endpoint, or the ability to inject and forge tunnel-layer traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-low despite the network-accessible attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a man-in-the-middle position on the VPN tunnel or direct control over a rogue client endpoint, combined with deep reverse-engineering knowledge of the Absolute Secure Access proprietary tunnel protocol, crafts a malformed protocol message targeting the server's memory management routines. Upon delivery, this message triggers an uncontrolled memory condition causing the server to enter a transient denial-of-service state, disrupting remote access connectivity until the service recovers. …
Remediation The primary and definitive fix is to upgrade Absolute Secure Access to version 14.55 or later, which resolves the underlying memory management flaw. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

CVE-2024-37343 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio

Share

EUVD-2026-44803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy