JVN#35146924
ExpressUpdate Agent for Windows improper access restriction on its named pipe
Overview
ExpressUpdate Agent for Windows provided by NEC Corporation configures its named pipe with an improper access restriction.
Products Affected
- ExpressUpdate Agent for Windows 3.24 and prior
Description
ExpressUpdate Agent for Windows provided by NEC Corporation is the software module for NEC server products, to support remote management of installed software.
ExpressUpdate Agent for Windows configures its named pipe with an improper access restriction.
- Exposed IOCTL with Insufficient Access Control (CWE-782)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
- CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2026-8797
Impact
A non-administrative user who logs in to the product may execute arbitrary code with SYSTEM privilege.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version addressing the vulnerability.
- ExpressUpdate Agent for Windows 3.25
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-000088 |