CVE-2026-6348
Deferred
Deferred - Pending Action
Missing Authentication in WinMatrix Agent Enables SYSTEM Code Execution
Vulnerability report for CVE-2026-6348, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-16
Last updated on: 2026-05-19
Assigner: TWCERT/CC
Description
Description
WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simopro_technology | winmatrix_agent | From 3.5.13 (inc) to 3.5.26.15 (inc) |
| simopro_technology | winmatrix_agent | to 3.5.27.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |