Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the requirement for intimate protocol knowledge and tunnel control; impact is non-persistent availability-only, so A:L with C:N and I:N.
Primary rating from Vendor (Absolute).
CVSS VectorVendor: Absolute
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
CVE-2026-55398 is a memory management vulnerability in Secure Access clients and servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.
AnalysisAI
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two highly specific preconditions that substantially limit attacker population in practice: (1) 'intimate knowledge of' the proprietary Absolute Secure Access tunnel protocol - implying significant reverse-engineering effort, insider knowledge, or access to proprietary protocol documentation - and (2) 'total control over' the tunnel protocol communication, suggesting either a man-in-the-middle position on the VPN channel, a controlled or compromised client endpoint, or the ability to inject and forge tunnel-layer traffic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low despite the network-accessible attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a man-in-the-middle position on the VPN tunnel or direct control over a rogue client endpoint, combined with deep reverse-engineering knowledge of the Absolute Secure Access proprietary tunnel protocol, crafts a malformed protocol message targeting the server's memory management routines. Upon delivery, this message triggers an uncontrolled memory condition causing the server to enter a transient denial-of-service state, disrupting remote access connectivity until the service recovers. … |
| Remediation | The primary and definitive fix is to upgrade Absolute Secure Access to version 14.55 or later, which resolves the underlying memory management flaw. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Secure Access
View allPersistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44803