How is CVE-2026-11857 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; the vulnerable named pipe is bound to local interfaces only and cannot be reached over the network. Authentication (required): A low-privilege local user account is sufficient; the attacker must hold an authenticated session on the host to connect to the named pipe. Victim interaction (not-required): No action from another user or process is needed; the attacker connects and sends the payload entirely on their own. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout are required to deliver the crafted serialized object.

What is the impact of CVE-2026-11857?

Attacker executes arbitrary code in the context of the Client Update Service process running as NT AUTHORITY\SYSTEM, gaining full control of the operating system on the affected host. All files, registry keys, and secrets accessible to SYSTEM can be read, including credentials cached on the host. The attacker can write or overwrite any file on the host, install drivers, create new accounts, or tamper with any running process.

Back to search

HIGHCVE-2026-11857Published 2026-06-17Modified 2026-06-17CNA SEC-VLab

CVE-2026-11857: Insecure .NET Remoting deserialization in Quanos SCHEMA ST4 Client Update Service allows local privilege escalation

Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insecure deserialization vulnerability in the Client Update Service component of Quanos SCHEMA ST4 on-premises software. The flaw is exploitable only from the local host by an authenticated user who connects to a named pipe and sends a crafted serialized object to the .NET Remoting endpoint, which is configured with TypeFilterLevel.Full. Successful exploitation gives the attacker arbitrary code execution as NT AUTHORITY\SYSTEM, representing a full local privilege escalation. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11857 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle SCHEMA ST4 on-premises components.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.4 (High, v4.0) and weighting findings against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream vendor ships a corrected release. In the meantime, compensating-control recommendations are surfaced in the finding detail for affected images.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; the vulnerable named pipe is bound to local interfaces only and cannot be reached over the network.
AuthenticationRequired
A low-privilege local user account is sufficient; the attacker must hold an authenticated session on the host to connect to the named pipe.
Victim interactionNot required
No action from another user or process is needed; the attacker connects and sends the payload entirely on their own.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout are required to deliver the crafted serialized object.

Blast Radius

Attacker executes arbitrary code in the context of the Client Update Service process running as NT AUTHORITY\SYSTEM, gaining full control of the operating system on the affected host.
All files, registry keys, and secrets accessible to SYSTEM can be read, including credentials cached on the host.
The attacker can write or overwrite any file on the host, install drivers, create new accounts, or tamper with any running process.

How HarborGuard Handles This

Available on HarborGuard: images containing SCHEMA ST4 on-premises components are flagged immediately upon CVE ingestion, with a CVSS 8.4 High severity finding routed according to each environment's compliance policy. Because Quanos has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle and will automatically generate a patched rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment an upstream fix is published. While awaiting a vendor patch, the finding detail surfaces compensating-control suggestions such as restricting local user account scope on hosts running ST4, applying named-pipe access control list hardening to limit which accounts can connect to the update service pipe, and isolating affected hosts from broader administrative networks where feasible.

See how HarborGuard automates this

Affected packages

Quanos Solutions GmbH / SCHEMA ST4
SCHEMA ST4 on-premises, all versions

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

r.sec-consult.com

Metrics

Get notified