CVE-2026-11858 (GCVE-0-2026-11858)
Vulnerability from cvelistv5 – Published: 2026-06-17 11:50 – Updated: 2026-06-17 14:56
VLAI
Title
Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM
Summary
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://r.sec-consult.com/quanos | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Quanos Solutions GmbH | SCHEMA ST4 |
Affected:
SCHEMA ST4 on-premises, all versions
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:56:14.233126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:56:22.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SCHEMA ST4",
"vendor": "Quanos Solutions GmbH",
"versions": [
{
"status": "affected",
"version": "SCHEMA ST4 on-premises, all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johannes Kruchem, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
}
],
"value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T11:50:47.666Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/quanos"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\u003cdiv\u003e\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\n\n\nQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
}
],
"value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-11858",
"datePublished": "2026-06-17T11:50:47.666Z",
"dateReserved": "2026-06-10T09:08:26.174Z",
"dateUpdated": "2026-06-17T14:56:22.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-11858",
"date": "2026-06-21",
"epss": "0.00125",
"percentile": "0.02506"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-11858\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-17T14:56:14.233126Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-17T14:56:18.581Z\"}}], \"cna\": {\"title\": \"Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Johannes Kruchem, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Quanos Solutions GmbH\", \"product\": \"SCHEMA ST4\", \"versions\": [{\"status\": \"affected\", \"version\": \"SCHEMA ST4 on-premises, all versions\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\\n\\n\\nQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\u003cdiv\u003e\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/quanos\", \"tags\": [\"third-party-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-06-17T11:50:47.666Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-11858\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-17T14:56:22.560Z\", \"dateReserved\": \"2026-06-10T09:08:26.174Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-06-17T11:50:47.666Z\", \"assignerShortName\": \"SEC-VLab\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…