CVE-2026-39454
Received Received - Intake
Improper File Permissions in SKYSEA Client View Allow Privilege Escalation

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: JPCERT/CC

Description
SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. configure the installation folder with improper file access permission settings. A non-administrative user may manipulate and/or place arbitrary files within the installation folder of the product. As a result, arbitrary code may be executed with the administrative privilege.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39454
EUVD
EUVD-2026-23793
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sky_co.ltd skysea_client_view *
sky_co.ltd skymec_it_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SKYSEA Client View and SKYMEC IT Manager by Sky Co., LTD. The issue is due to improper file access permission settings on the installation folder of these products.

Because of these weak permissions, a non-administrative user can manipulate or place arbitrary files within the installation folder.

This can lead to arbitrary code execution with administrative privileges, meaning an attacker could run malicious code with high-level access.

Impact Analysis

The vulnerability can have serious impacts because it allows a non-administrative user to execute arbitrary code with administrative privileges.

This means an attacker could potentially take full control of the affected system, leading to data theft, system compromise, or disruption of services.

The CVSS scores indicate a high severity, with impacts on confidentiality, integrity, and availability.

Compliance Impact

The provided information does not specify how CVE-2026-39454 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is local in nature and involves improper file access permission settings on the installation folders of SKYSEA Client View and SKYMEC IT Manager products. Detection involves checking the file permissions of the installation directories to identify if non-administrative users have write or modify access.

Since the vulnerability allows non-administrative users to place or manipulate arbitrary files in the installation folder, you can detect it by verifying the permissions on these folders on Windows OS systems.

  • Use Windows command line to check folder permissions, for example: icacls "C:\Path\To\InstallationFolder"
  • Look for permissions that allow non-administrative users (such as Users group) to write or modify files.
  • If such permissions are found, the system is vulnerable.
Mitigation Strategies

Immediate mitigation steps include applying the patches or updates provided by Sky Corporation for the affected products.

  • For SKYSEA Client View users with maintenance contracts, download and apply the update to version 21.210.01f or later, or apply the provided patch to the master server.
  • Recreate any installers with department information that were created before applying the fix.
  • For SKYSEA Client View M1 Cloud Edition users, ensure new terminal installers are downloaded from the management console as the fix was applied by Sky Corporation.
  • For SKYMEC IT Manager users, apply the provided patch module to the master server and await the full update module release.

Additionally, review and correct the file access permissions on the installation folders to prevent non-administrative users from modifying or placing files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart