CVE-2026-57919

Received Received - Intake

Privilege Escalation via Named Pipe in Matrix42 Empirum

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: MITRE

Description

PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-57919

Affected Vendors & Products

Vendor	Product	Version / Range
matrix42	empirum	to 25.5 (exc)
matrix42	empirum	From 26.0 (inc) to 26.2 (exc)
matrix42	empirum_personal_backup	25.4
matrix42	empirum_personal_backup	26.1
matrix42	empirum_personal_backup	to 25.5\|end_excluding=26.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-276	During installation, installed file permissions are set to allow anyone to modify those files.
CWE-426	The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Attack-Flow Graph

Compliance Impact

The provided information does not explicitly mention the impact of CVE-2026-57919 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57919 is a local privilege escalation vulnerability in Matrix42 Empirum Personal Backup. It occurs because the program creates a named pipe (\\.\pipe\PBackupVSS) with overly permissive access controls, granting read and write permissions to all authenticated users.

A low-privileged local attacker can connect to this pipe and send specially crafted Inter-Process Communication (IPC) messages. This can trigger the execution of arbitrary commands with SYSTEM-level privileges by exploiting an untrusted search path, allowing the attacker to place a malicious executable in a controlled directory.

Impact Analysis

This vulnerability can lead to full system compromise by allowing a low-privileged authenticated user to escalate their privileges to SYSTEM level.

An attacker exploiting this flaw can execute arbitrary code with the highest system privileges, potentially leading to unauthorized access, data manipulation, or disruption of system operations.

Detection Guidance

This vulnerability involves the creation of a named pipe (\\.\pipe\PBackupVSS) with overly permissive access control allowing authenticated users to read and write. Detection can focus on checking the existence and permissions of this named pipe on affected systems.

You can use system commands to check for the named pipe and its permissions. For example, on Windows systems, use the following commands:

Use PowerShell to check for the named pipe: Get-ChildItem \\.\pipe\ | Where-Object { $_.Name -eq 'PBackupVSS' }
Use Sysinternals' PipeList tool to enumerate named pipes and inspect permissions.
Use AccessChk from Sysinternals to check the DACL on the named pipe: accesschk.exe -p PBackupVSS

If the named pipe exists and has GENERIC_READ and GENERIC_WRITE permissions granted to all authenticated users, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to apply the official hotfix addressing PRB39539 or update the Empirum Personal Backup software to version 25.5 or later, or version 26.2 or later.

These updates fix the insecure permissions on the named pipe and prevent exploitation of the untrusted search path.

If immediate patching is not possible, restrict access to the named pipe by adjusting its permissions to prevent low-privileged users from connecting.

For further assistance, contacting Matrix42 Support is advised.

Hi! I’m here to help you understand CVE-2026-57919. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70