CVE-2026-9489

HIGH

NitroSense V3: Local Privilege Escalation (LPE) vulnerability

Title source: cna

Description

NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.

References (1)

Core 1

Core References

https://community.acer.com/en/kb/articles/19652

Scores

CVSS v4 8.5

EPSS 0.0015

EPSS Percentile 4.6%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-269 CWE-284 CWE-732

Status published

Products (1)

Acer/NitrorSense V3 3.01.3001 - 3.01.3052

Published May 25, 2026

Tracked Since May 25, 2026