CVE-2026-37453
Analyzed Analyzed - Analysis Complete

Insecure Permissions in MSI NBFoundation Service Allows Information Disclosure

Vulnerability report for CVE-2026-37453, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-14

Assigner: MITRE

Description

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-14
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
msi center to 2.0.70.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Permissions issue in the MSI NBFoundation Service version 2.0.2506.1201. It allows a remote attacker to access sensitive information by exploiting the MSI_SERVICE_2 pipe.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information to remote attackers, potentially compromising confidentiality and security of the affected system.

Compliance Impact

The vulnerability in MSI NBFoundation Service allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe. This exposure of sensitive information could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require the protection of sensitive personal or health information.

Since the vulnerability enables unauthorized access to sensitive data without authentication, it increases the risk of data breaches, which are subject to strict reporting and remediation requirements under these regulations.

Therefore, organizations using the affected MSI NBFoundation Service versions may face compliance challenges if this vulnerability is exploited, as it undermines the confidentiality and security controls mandated by common standards and regulations.

Detection Guidance

This vulnerability involves insecure permissions on the named pipe \\.\pipe\MSI_SERVICE_2 used by MSI NBFoundation Service. Detection can focus on checking the accessibility and permissions of this named pipe and monitoring registry modifications via this pipe.

You can use Windows commands to check the existence and permissions of the named pipe MSI_SERVICE_2 and monitor registry changes related to the service.

  • Use PowerShell to check named pipe permissions: Get-Acl \\.\pipe\MSI_SERVICE_2
  • Use Sysinternals' PipeList tool to enumerate named pipes and their permissions.
  • Monitor registry keys such as HKLM\CurrentVersion\Run and HKLM\CurrentControlSet\Services\* for unauthorized changes.
  • Use audit policies or tools like Sysinternals Process Monitor to track access to the named pipe and registry modifications.
Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade MSI Center / MSI NBFoundation Service to the fixed version 2.0.70.0 or later.

There is no configuration-only workaround available for affected versions, so applying the official patch from MSI is essential.

  • Download and install MSI Center version 2.0.70.0 or later from MSI's official update channel.
  • Restrict access to the named pipe \\.\pipe\MSI_SERVICE_2 by applying stricter permissions if possible, although this is not a complete fix.
  • Monitor systems for suspicious registry changes and unauthorized access attempts until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart