CVE-2026-1680
Improper Access Control in Edgemo LocalAdminService Enables Privilege Escalation
Publication date: 2026-01-30
Last updated on: 2026-03-03
Assigner: National Cyber Security Centre Finland
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| danofficeit | local_admin_service | 1.2.7.23180 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-1680 is a local privilege escalation vulnerability in the Local Admin Service version 1.2.7.23180 by Edgemo (now Danoffice IT). The service has two components: a client application that enforces group membership restrictions before requesting elevation, and a high-privileged service that manages elevation requests via a WCF endpoint. The vulnerability exists because the service does not enforce group membership checks itself, allowing an attacker to bypass the client restrictions by directly communicating with the service's WCF endpoint. This lets any local user escalate their privileges to local administrator by invoking the elevation method directly. [1]
How can this vulnerability impact me? :
This vulnerability allows any local user on a Windows machine running the affected Local Admin Service to escalate their privileges to local administrator without proper authorization. This can lead to unauthorized administrative access, enabling the attacker to install software, change system settings, access sensitive data, or further compromise the system and network security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the LocalAdminService.exe WCF endpoint at net.pipe://localhost/Elevation is accessible and if unauthorized users can invoke the Elevate method to gain administrator privileges. Since the vulnerability involves bypassing client-side group membership checks by directly communicating with the named pipe, detection involves monitoring or attempting to connect to this named pipe endpoint. A practical approach is to use PowerShell or other tools to attempt to connect to the named pipe and invoke the Elevate method, or to check if unauthorized users have been added to the local administrators group unexpectedly. Specific commands are not provided in the resources, but creating or using a proof-of-concept client to test the endpoint is suggested. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the LocalAdminService.exe named pipe (net.pipe://localhost/Elevation) to trusted users only, monitoring and auditing local administrator group membership changes, and limiting local user permissions to prevent unauthorized communication with the service. Since no patch or remediation has been provided by Danoffice IT, organizations should consider disabling or uninstalling the Local Admin Service if possible, or applying strict access controls at the OS level to prevent exploitation. Additionally, reviewing and enforcing organizational policies regarding local privilege elevation requests is recommended. [1]