How is CVE-2026-11846 exploited?

Network reachability (required): The attacker must reach the iVEC-IEI management interface over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed. Authentication (required): A valid low-privilege account is sufficient to trigger the vulnerability; the CVSS vector specifies PR:L, so unauthenticated access alone does not enable exploitation. Victim interaction (not-required): No user action or social engineering is needed; the attacker can exploit the vulnerability entirely on their own once authenticated. Attack complexity (info): The exploit is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or special environmental factors are required.

What is the impact of CVE-2026-11846?

Attacker deletes arbitrary files or directories on the target system, including critical operating system or application files. Deletion of key system files causes service disruption or renders the virtualization edge computer inoperable. Persistent data stored on the device, such as configuration files or workload state, is permanently destroyed with no recovery path if backups are absent.

Back to search

HIGHCVE-2026-11846Published 2026-06-12Modified 2026-06-12CNA twcert

CVE-2026-11846: IEI Integration Corp｜iVEC-IEI Virtualization Edge Computer - Arbitrary File Deletion

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: 1.0.4
Affected Products: 1

HarborGuard Analysis

Synopsis

Arbitrary file deletion vulnerability in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer allows an authenticated remote attacker to delete arbitrary files and directories on the system. The attacker reaches the vulnerable service over the network and requires a low-privilege account; no victim interaction is needed. Successful exploitation enables destruction of system data or disruption of running services. A patched-image rebuild at version 1.0.4 is available on HarborGuard for environments running an affected version of iVEC TANK-XM811.

HarborGuard Coverage

Detection

Detection of CVE-2026-11846 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that incorporate the affected iVEC TANK-XM811 software.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 7.2 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage findings can be routed to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

A patched-image rebuild at version 1.0.4 becomes available on HarborGuard for any environment where an affected version (below 1.0.4) of iVEC TANK-XM811 is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the iVEC-IEI management interface over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.
AuthenticationRequired
A valid low-privilege account is sufficient to trigger the vulnerability; the CVSS vector specifies PR:L, so unauthenticated access alone does not enable exploitation.
Victim interactionNot required
No user action or social engineering is needed; the attacker can exploit the vulnerability entirely on their own once authenticated.
Attack complexityDetail
The exploit is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or special environmental factors are required.

Blast Radius

Attacker deletes arbitrary files or directories on the target system, including critical operating system or application files.
Deletion of key system files causes service disruption or renders the virtualization edge computer inoperable.
Persistent data stored on the device, such as configuration files or workload state, is permanently destroyed with no recovery path if backups are absent.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-11846 is matched against customer images within minutes of ingestion from the twcert advisory feed. For environments running iVEC TANK-XM811 below version 1.0.4, a patched-image rebuild at 1.0.4 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS scoring and policy-weighted priority so teams can act on it manually. In the interim, restricting network access to the iVEC-IEI management interface via network policy or firewall rules reduces exposure by limiting which principals can reach the authenticated endpoint.

See how HarborGuard automates this

Fix available

1.0.4

Affected packages

IEI Integration Corp / iVEC TANK-XM811
< 1.0.4 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available