PatchSiren cyber security CVE debrief
CVE-2026-9489 Acer CVE debrief
NitroSense 3.x before 3.01.3052 contains a Local Privilege Escalation (LPE) vulnerability. The application exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. This Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.
- Vendor
- Acer
- Product
- NitrorSense V3
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations and individuals using Acer systems with NitroSense software versions prior to 3.01.3052 should prioritize patching. System administrators managing endpoints with NitroSense installed should assess exposure and apply updates. Security teams should monitor for potential privilege escalation attempts on unpatched systems.
Technical summary
The vulnerability stems from a misconfigured Windows Named Pipe in NitroSense 3.x that exposes internal functions through a custom protocol. The Named Pipe's access control configuration fails to properly restrict which authenticated users can connect to it, allowing any local authenticated user to invoke functions that execute with SYSTEM privileges. This enables both arbitrary code execution and arbitrary file deletion with elevated privileges. The attack requires local access and valid user credentials, but no user interaction. The CVSS 4.0 score of 8.5 (HIGH) reflects significant impacts across confidentiality, integrity, and availability dimensions.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade NitroSense to version 3.01.3052 or later to remediate this vulnerability
- Review and restrict local user access to systems running NitroSense where patching is not immediately possible
- Monitor for suspicious Named Pipe activity related to NitroSense processes
- Apply principle of least privilege for local user accounts on affected systems
- Review Acer's knowledge base guidance for additional mitigation steps
Evidence notes
The vulnerability description indicates this affects NitroSense 3.x versions prior to 3.01.3052. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) confirms local attack vector with low attack complexity, low privileges required, and high impacts to confidentiality, integrity, and availability. The weakness enumerations include CWE-22 (Path Traversal), CWE-269 (Improper Privilege Management), CWE-284 (Improper Access Control), and CWE-732 (Incorrect Permission Assignment for Critical Resource).
Official resources
-
CVE-2026-9489 CVE record
CVE.org
-
CVE-2026-9489 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
8fc372e3-d9c5-46e4-9410-38469745c639
This vulnerability was published in the NVD on 2026-05-25 and last modified on 2026-05-26. The vulnerability is currently in 'Awaiting Analysis' status per NVD. Acer has published a knowledge base article addressing this issue.