Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Red
Local vector and low privileges match description; no user interaction required to query WMI; scope unchanged; confidentiality-only impact with no write or denial capability.
Primary rating from Vendor (symantec).
CVSS VectorVendor: symantec
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Red
Lifecycle Timeline
1DescriptionCVE.org
The Altiris WMI provider exposes a class (AltirisAgent_Stream) that allows any local standard user to read the contents of any file accessible to the SYSTEM account, bypassing filesystem ACLs. No admin privileges required. The provider reverts to the LocalSystem context when servicing WMI queries without re-impersonating the caller. Any local standard user can therefore read SYSTEM-readable files - including configuration files, service logs, and secrets stored with SYSTEM/Administrator-only ACLs - by querying the provider directly.
AnalysisAI
Local privilege escalation via a misconfigured WMI provider in Broadcom's Symantec IT Management Suite (Altiris) exposes SYSTEM-readable files to any local standard user. The AltirisAgent_Stream WMI class fails to re-impersonate the calling user when servicing queries, reverting to the LocalSystem context instead - allowing unprivileged local users to bypass filesystem ACLs and read files that are restricted to SYSTEM or Administrator accounts, including configuration files, service logs, and stored secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have a valid local user account on a Windows system where Symantec IT Management Suite (Altiris) is installed and the AltirisAgent_Stream WMI provider is running - no administrator or elevated rights are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 score of 5.1 (Medium) is consistent with the impact profile: high confidentiality impact on the vulnerable system (VC:H) with no integrity or availability consequence, constrained to local attack vector (AV:L) requiring low privileges (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard domain user logged into a managed Windows workstation opens a PowerShell session and issues a WMI query targeting the AltirisAgent_Stream class. Because the provider does not re-impersonate the caller, it executes the file read under LocalSystem and returns the contents - the user retrieves a service configuration file containing stored credentials or a private key that is normally restricted via NTFS ACLs to SYSTEM/Administrators only. … |
| Remediation | Consult and apply the remediation specified in Broadcom Security Advisory SA 37995 at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37995 - exact patched version numbers were not independently confirmed from available input data, so the advisory is the authoritative source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45151
GHSA-63vq-vxhh-x3pr