CVE-2026-11858
Received Received - Intake
Local Privilege Escalation in Quanos SCHEMA ST4

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: SEC Consult Vulnerability Lab

Description
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-11858
EUVD
EUVD-2026-37682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quanos schema_st4 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11858 is a local privilege escalation vulnerability in the Quanos SCHEMA ST4 on-premises Client Update Service. This service runs with SYSTEM-level privileges and exposes a .NET Remoting interface over a named pipe without proper access controls or authorization.

A low-privileged local authenticated user can connect to this interface and invoke privileged update methods such as Update(), which allows arbitrary file write and delete operations with SYSTEM privileges. This can be exploited to escalate local privileges.

Impact Analysis

This vulnerability allows a local authenticated low-privileged user to perform arbitrary file write and delete operations with SYSTEM privileges on the affected system.

As a result, an attacker can escalate their privileges from a low-privileged user to SYSTEM level, potentially gaining full control over the affected machine.

Detection Guidance

This vulnerability involves a local privilege escalation through the Client Update Service's .NET Remoting interface over a named pipe. Detection involves identifying if the vulnerable Client Update Service is running on the system.

Since the service runs locally and exposes a named pipe, you can check for the presence of the Client Update Service process and its named pipe endpoints.

  • On Windows, use the command: `sc queryex type= service state= all | findstr /I "Client Update Service"` to check if the service is running.
  • Use `Get-Process -Name "ClientUpdateService"` in PowerShell to verify the process.
  • To list named pipes, use the Sysinternals tool `pipelist.exe` or run PowerShell commands like `Get-ChildItem \\.\pipe\` and look for pipes related to the Client Update Service.

Because exploitation requires local authenticated access, monitoring for unusual local connections or invocations to the named pipe interface may also help detect attempts.

Mitigation Strategies

The vendor Quanos does not provide a patch for this vulnerability yet.

The recommended immediate mitigation is to disable the affected Client Update Service to prevent exploitation.

  • Stop the Client Update Service using the command: `sc stop "Client Update Service"`.
  • Disable the service to prevent it from starting again: `sc config "Client Update Service" start= disabled`.

Additionally, conduct a thorough security review of the product environment to identify and address any other potential security issues.

Compliance Impact

The provided information does not specify how the CVE-2026-11858 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart