Skip to main content

Symantec IT Management Suite EUVDEUVD-2026-45151

| CVE-2026-15379 MEDIUM
2026-07-17 symantec GHSA-63vq-vxhh-x3pr
5.1
CVSS 4.0 · Vendor: symantec
Share

Severity by source

Vendor (symantec) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Red
vuln.today AI
5.5 MEDIUM

Local vector and low privileges match description; no user interaction required to query WMI; scope unchanged; confidentiality-only impact with no write or denial capability.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (symantec).

CVSS VectorVendor: symantec

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Red
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 07:46 vuln.today

DescriptionCVE.org

The Altiris WMI provider exposes a class (AltirisAgent_Stream) that allows any local standard user to read the contents of any file accessible to the SYSTEM account, bypassing filesystem ACLs. No admin privileges required. The provider reverts to the LocalSystem context when servicing WMI queries without re-impersonating the caller. Any local standard user can therefore read SYSTEM-readable files - including configuration files, service logs, and secrets stored with SYSTEM/Administrator-only ACLs - by querying the provider directly.

AnalysisAI

Local privilege escalation via a misconfigured WMI provider in Broadcom's Symantec IT Management Suite (Altiris) exposes SYSTEM-readable files to any local standard user. The AltirisAgent_Stream WMI class fails to re-impersonate the calling user when servicing queries, reverting to the LocalSystem context instead - allowing unprivileged local users to bypass filesystem ACLs and read files that are restricted to SYSTEM or Administrator accounts, including configuration files, service logs, and stored secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local standard-user session
Delivery
Query AltirisAgent_Stream WMI class
Exploit
Provider executes in LocalSystem context without caller re-impersonation
Execution
Receive SYSTEM-readable file contents bypassing NTFS ACLs
Impact
Harvest secrets or credentials from returned data

Vulnerability AssessmentAI

Exploitation The attacker must have a valid local user account on a Windows system where Symantec IT Management Suite (Altiris) is installed and the AltirisAgent_Stream WMI provider is running - no administrator or elevated rights are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.0 score of 5.1 (Medium) is consistent with the impact profile: high confidentiality impact on the vulnerable system (VC:H) with no integrity or availability consequence, constrained to local attack vector (AV:L) requiring low privileges (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard domain user logged into a managed Windows workstation opens a PowerShell session and issues a WMI query targeting the AltirisAgent_Stream class. Because the provider does not re-impersonate the caller, it executes the file read under LocalSystem and returns the contents - the user retrieves a service configuration file containing stored credentials or a private key that is normally restricted via NTFS ACLs to SYSTEM/Administrators only. …
Remediation Consult and apply the remediation specified in Broadcom Security Advisory SA 37995 at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37995 - exact patched version numbers were not independently confirmed from available input data, so the advisory is the authoritative source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy