Executive Summary

This vulnerability involves incorrect default permissions set on the pcvisit service binary on Windows systems. Because of these permissions, a low-privileged local attacker can overwrite the service binary with arbitrary content. Since this service binary is automatically launched with NT\SYSTEM privileges during system boot, the attacker can escalate their privileges to the highest system level.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows a low-privileged local attacker to gain NT\SYSTEM level privileges by overwriting the pcvisit service binary. This means an attacker could execute arbitrary code with the highest system privileges, potentially leading to full system compromise, unauthorized access to sensitive data, and control over the affected machine.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the pcvisit service to version 25.12.3.1745 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-0539 allows a low-privileged local attacker to escalate privileges to SYSTEM level by exploiting incorrect default permissions on the pcvisit service binary. This unauthorized privilege escalation can lead to persistent elevated access, enabling attackers to execute arbitrary commands and potentially install backdoors or other malicious software.

Such unauthorized access and control over a system can compromise the confidentiality, integrity, and availability of sensitive data, which are core requirements in compliance frameworks like GDPR and HIPAA. Therefore, if exploited, this vulnerability could lead to violations of these regulations by exposing protected personal or health information to unauthorized parties.

Mitigating this vulnerability by applying the patch or restricting permissions is essential to maintain compliance with these standards and reduce the risk of data breaches or unauthorized system control.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the file permissions of the pcvisit_service_client.exe binary on the affected Windows system. Specifically, you need to verify if the Everyone group has Modify and Write access to this executable, which would indicate the system is vulnerable.

To detect this, you can use Windows command line tools to inspect the permissions of the file located typically at: C:\Program Files (x86)\pcvisit Software AG\pcvisit RemoteHost\release\[VersionNumber]\pcvisit_service_client.exe

• Use the command: icacls "C:\Program Files (x86)\pcvisit Software AG\pcvisit RemoteHost\release\[VersionNumber]\pcvisit_service_client.exe"

This command will display the Access Control List (ACL) for the file. If the output shows that the Everyone group has Modify or Write permissions, the system is vulnerable.

Additionally, you can check the service binary's folder permissions to ensure no improper folder permission settings exist that could allow unauthorized modification.

• Use the command: icacls "C:\Program Files (x86)\pcvisit Software AG\pcvisit RemoteHost\release\[VersionNumber]"

If patching is not possible, removing Modify and Write permissions for the Everyone group on the executable file can mitigate the vulnerability.

Useful 0 Not Useful 0