CVE-2026-32680
Insecure ACLs in RATOC RAID Installer Enables SYSTEM Code Execution
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ratoc | raid_monitoring_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the installer of RATOC RAID Monitoring Manager for Windows. It allows users to customize the installation folder. However, if the installation folder is changed from the default to a non-default location, the folder may end up with insecure Access Control Lists (ACLs). This means that non-administrative users could gain the ability to modify the contents of that folder.
Because of these insecure permissions, a non-administrative user could potentially execute arbitrary code with SYSTEM-level privileges, which is the highest level of privilege on a Windows system.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows non-administrative users to execute arbitrary code with SYSTEM privileges. This means an attacker or unauthorized user could gain full control over the affected system.
- Unauthorized modification of system files or settings.
- Installation of malicious software with elevated privileges.
- Potential complete compromise of the affected machine.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows non-administrative users to alter contents of the installation folder and potentially execute arbitrary code with SYSTEM privileges due to insecure ACLs when the installation folder is customized. This could lead to unauthorized access and control over the system, which may result in violations of security requirements mandated by common standards and regulations such as GDPR and HIPAA that require protection of sensitive data and system integrity.
Specifically, the ability for non-administrative users to gain SYSTEM privileges could compromise confidentiality, integrity, and availability of data, thereby impacting compliance with regulations that mandate strict access controls and protection against unauthorized privilege escalation.