CVE-2026-22676
Received Received - Intake
Privilege Escalation in Barracuda RMM via Insecure Automation ACLs

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: VulnCheck

Description
Barracuda RMM versions prior toΒ 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-05-07
AI Q&A
2026-04-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
barracuda rmm to 2025.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The vulnerability allows an attacker with local access to escalate their privileges to SYSTEM level.

This means the attacker can execute arbitrary code with the highest privileges on the system, potentially leading to full system compromise.

Such control can be used to steal sensitive data, disrupt services, install malware, or create persistent backdoors.


Can you explain this vulnerability to me?

This vulnerability exists in Barracuda RMM versions prior to 2025.2.2 and involves privilege escalation.

Local attackers can exploit overly permissive filesystem access control lists (ACLs) on the C:\Windows\Automation directory.

By modifying existing automation content or placing attacker-controlled files in this directory, attackers can have their code executed with SYSTEM-level privileges during routine automation cycles.

This typically happens within the next execution cycle, allowing attackers to gain high-level control over the affected system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the permissions on the C:\Windows\Automation directory to see if they are overly permissive, allowing local users to modify or add files.

Suggested commands to detect this issue include checking the Access Control Lists (ACLs) on the directory using Windows command line tools.

  • Use the command: icacls C:\Windows\Automation to view the current permissions on the directory.
  • Look for permissions that allow modification or write access to non-administrative users.
  • Additionally, review any files in this directory that may have been recently modified or added by unauthorized users.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting the permissions on the C:\Windows\Automation directory to prevent unauthorized modification.

  • Modify the ACLs to allow only trusted administrative accounts to have write or modify permissions.
  • Remove any unauthorized or suspicious files from the directory.
  • Upgrade Barracuda RMM to version 2025.2.2 or later, where this vulnerability is fixed.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart