CVE-2026-11857
Received Received - Intake
Local Privilege Escalation in Quanos SCHEMA ST4 via Insecure Deserialization

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: SEC Consult Vulnerability Lab

Description
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-11857
EUVD
EUVD-2026-37681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quanos content_solutions_schema_st4 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how the CVE-2026-11857 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-11857 is a local privilege escalation vulnerability in Quanos SCHEMA ST4 on-premises. It arises from insecure deserialization in the .NET Remoting service, which is configured with TypeFilterLevel.Full and bound only to local interfaces via named pipes.

A local authenticated attacker can connect to the local named pipe, access the .NET Remoting endpoint, and send specially crafted serialized objects. This allows the attacker to execute arbitrary code with NT AUTHORITY\SYSTEM privileges, effectively gaining full control over the system.

Exploitation requires local host access with an authenticated user session; it cannot be exploited remotely over the network.

Impact Analysis

This vulnerability allows a local authenticated attacker to escalate their privileges to SYSTEM level by executing arbitrary code within the update process context.

With SYSTEM privileges, the attacker can perform any action on the affected system, including modifying or deleting files, installing malware, or disrupting services.

Because exploitation requires local access, the risk is primarily from insiders or attackers who have already gained some level of access to the host.

Detection Guidance

This vulnerability affects the local Client Update Service of Quanos SCHEMA ST4 on-premises installations, which uses .NET Remoting bound to local named pipes. Detection involves verifying if the vulnerable Client Update Service is running on the system.

Since exploitation requires local authenticated access and interaction with named pipes, you can check for the presence of the named pipe endpoints related to the Client Update Service and monitor for unusual or unauthorized connections to these pipes.

Suggested commands to detect the vulnerable service and named pipes include:

  • On Windows, use `sc query` or `Get-Service` PowerShell cmdlet to check if the Client Update Service is running.
  • Use `handle.exe` from Sysinternals or PowerShell scripts to list named pipes and identify those related to the Client Update Service.
  • Monitor event logs and audit logs for suspicious access to named pipes or unexpected process executions with elevated privileges.

Note that network detection is not applicable since the service is bound to local interfaces only and exploitation requires local authenticated access.

Mitigation Strategies

The vendor Quanos does not provide a patch for this vulnerability yet.

As an immediate mitigation, it is recommended to disable the affected Client Update Service to prevent exploitation.

Additionally, conduct a thorough security review of the product deployment to identify and address any other potential security issues.

Since exploitation requires local authenticated access, restricting user permissions and monitoring local user activities can also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart