CVE-2026-37452
Deferred Deferred - Pending Action

Insecure Permissions in MSI NBFoundation Service Allows Information Disclosure

Vulnerability report for CVE-2026-37452, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: MITRE

Description

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
msi nbfoundation_service 2.0.2506.1201

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how the CVE-2026-37452 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the MSI NBFoundation Service (MSIAPService.exe) allowing unauthorized registry operations via the named pipe \\.\pipe\MSI_SERVICE_2 accessible to all Authenticated Users.

To detect exploitation attempts or presence of this vulnerability, you can check for unauthorized access or modifications to registry keys such as CurrentVersion\Run or CurrentControlSet\Services\* which may indicate persistence or service hijacking.

While no specific detection commands are provided, monitoring access to the named pipe \\.\pipe\MSI_SERVICE_2 and auditing registry changes under HKLM or HKCU related to MSI NBFoundation Service could help identify exploitation.

Mitigation Strategies

The primary mitigation is to upgrade MSI Center / MSI NBFoundation Service to the fixed version 2.0.70.0 or later through MSI's official update channel.

There is no configuration-only workaround available for affected versions, so applying the official patch is critical to prevent exploitation.

Executive Summary

This vulnerability is an Insecure Permissions issue in the MSI NBFoundation Service version 2.0.2506.1201. It allows a remote attacker to obtain sensitive information through the MSIAPService.exe component.

Impact Analysis

The vulnerability can allow a remote attacker to access sensitive information, which could lead to unauthorized disclosure of data and potential compromise of system confidentiality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart