Search

Find a vulnerability

Search criteria

    3 vulnerabilities found for ExpressUpdate Agent for Windows by NEC Corporation

    JVNDB-2026-000088

    Vulnerability from jvndb - Published: 2026-06-26 14:25 - Updated:2026-06-26 14:25
    Severity
    Summary
    ExpressUpdate Agent for Windows improper access restriction on its named pipe
    Details
    ExpressUpdate Agent for Windows provided by NEC Corporation is the software module for NEC server products, to support remote management of installed software. ExpressUpdate Agent for Windows configures its named pipe with an improper access restriction.
    • Exposed IOCTL with Insufficient Access Control (CWE-782) - CVE-2026-8797
    MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000088.html",
      "dc:date": "2026-06-26T14:25+09:00",
      "dcterms:issued": "2026-06-26T14:25+09:00",
      "dcterms:modified": "2026-06-26T14:25+09:00",
      "description": "ExpressUpdate Agent for Windows provided by NEC Corporation is the software module for NEC server products, to support remote management of installed software.\r\nExpressUpdate Agent for Windows configures its named pipe with an improper access restriction.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/782.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://www.cve.org/CVERecord?id=CVE-2026-8797\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eExposed IOCTL with Insufficient Access Control (CWE-782) - CVE-2026-8797\u003c/li\u003e\u003c/ul\u003eMASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000088.html",
      "sec:cpe": {
        "#text": "cpe:/a:nec:expressupdate_agent_for_windows",
        "@product": "ExpressUpdate Agent for Windows",
        "@vendor": "NEC Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "7.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2026-000088",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN35146924/index.html",
          "@id": "JVN#35146924",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2026-8797",
          "@id": "CVE-2026-8797",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "ExpressUpdate Agent for Windows improper access restriction on its named pipe"
    }

    CVE-2026-8797 (GCVE-0-2026-8797)

    Vulnerability from nvd – Published: 2026-06-26 04:14 – Updated: 2026-06-26 12:19
    VLAI
    Summary
    An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-782 - Exposed IOCTL with Insufficient Access Control
    Assigner
    NEC
    Impacted products
    Credits
    MASAHIRO IIDA of LAC Co., Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8797",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T12:19:40.756620Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T12:19:51.182Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ExpressUpdate Agent for Windows",
              "vendor": "NEC Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.24 and prior"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "MASAHIRO IIDA of LAC Co., Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges."
                }
              ],
              "value": "An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-782",
                  "description": "CWE-782: Exposed IOCTL with Insufficient Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T04:19:19.204Z",
            "orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
            "shortName": "NEC"
          },
          "references": [
            {
              "url": "https://jpn.nec.com/security-info/secinfo/nv26-004_en.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
        "assignerShortName": "NEC",
        "cveId": "CVE-2026-8797",
        "datePublished": "2026-06-26T04:14:19.370Z",
        "dateReserved": "2026-05-18T01:11:09.851Z",
        "dateUpdated": "2026-06-26T12:19:51.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8797 (GCVE-0-2026-8797)

    Vulnerability from cvelistv5 – Published: 2026-06-26 04:14 – Updated: 2026-06-26 12:19
    VLAI
    Summary
    An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-782 - Exposed IOCTL with Insufficient Access Control
    Assigner
    NEC
    Impacted products
    Credits
    MASAHIRO IIDA of LAC Co., Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8797",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T12:19:40.756620Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T12:19:51.182Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ExpressUpdate Agent for Windows",
              "vendor": "NEC Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.24 and prior"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "MASAHIRO IIDA of LAC Co., Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges."
                }
              ],
              "value": "An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-782",
                  "description": "CWE-782: Exposed IOCTL with Insufficient Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T04:19:19.204Z",
            "orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
            "shortName": "NEC"
          },
          "references": [
            {
              "url": "https://jpn.nec.com/security-info/secinfo/nv26-004_en.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
        "assignerShortName": "NEC",
        "cveId": "CVE-2026-8797",
        "datePublished": "2026-06-26T04:14:19.370Z",
        "dateReserved": "2026-05-18T01:11:09.851Z",
        "dateUpdated": "2026-06-26T12:19:51.182Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }