PatchSiren cyber security CVE debrief
CVE-2026-15380 Broadcom CVE debrief
A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain — no network access, no memory corruption required (ITMS 8.7.3). This vulnerability affects ITMS 8.7.3 and allows a non-administrator interactive user to gain full SYSTEM code execution via a DCOM/task scheduler logic chain, without requiring network access or memory corruption. Users of ITMS 8.7.3 should verify their inventory and check for vendor remediation. The CVE record was published on 2026-07-17T08:16:58.913Z and has not been modified since.
- Vendor
- Broadcom
- Product
- Symantec Management Suite
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of ITMS 8.7.3 should verify their inventory and check for vendor remediation. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact of this vulnerability on their systems.
Technical summary
CVE-2026-15380 allows a non-administrator interactive user to gain full SYSTEM code execution via a DCOM/task scheduler logic chain, without requiring network access or memory corruption. This vulnerability affects ITMS 8.7.3 and has a medium CVSS score of 5.1. The vulnerability has a medium severity and requires no network access or memory corruption.
Defensive priority
Medium priority due to the medium CVSS score of 5.1.
Recommended defensive actions
- Verify inventory for ITMS 8.7.3
- Check for vendor remediation
- Implement compensating controls
- Monitor for suspicious activity
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
Evidence is limited; primary official records indicate a medium severity vulnerability in ITMS 8.7.3. Further verification is needed. The CVE record was published on 2026-07-17T08:16:58.913Z and has not been modified since. Official records suggest a DCOM/task scheduler logic chain vulnerability. Limited source detail is available, and defenders should verify their inventory and check for vendor remediation.
Official resources
-
CVE-2026-15380 CVE record
CVE.org
-
CVE-2026-15380 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T08:16:58.913Z and has not been modified since.