HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11858Published Modified CNA SEC-VLab

CVE-2026-11858: Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM

Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.

Metrics

CVSS v4.0
8.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A missing authorization vulnerability in the Quanos SCHEMA ST4 Client Update Service allows a local attacker to escalate privileges to SYSTEM. The service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without access controls, reachable by any locally authenticated low-privileged user without network access. Successful exploitation gives the attacker arbitrary file write and delete operations at SYSTEM level, enabling full local privilege escalation. No fix version has been published; HarborGuard tracks this advisory and will surface a patched rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11858 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle SCHEMA ST4 on-premises components. Any image found to carry an affected version of the ST4 package is flagged immediately.

Available
Triage

Triage is available with CVSS v4.0 scoring at 8.4 (HIGH), and each finding is weighted against the per-environment compliance policy configured by the customer org before being routed to the appropriate team inbox. This ensures that environments with stricter privilege-escalation policies surface the finding at the right priority without manual re-scoring.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Quanos advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; the vulnerable named pipe interface is local-only and is not exposed over the network.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to connect to the unprotected .NET Remoting interface and invoke privileged update methods.

  • Victim interactionNot required

    No victim interaction is needed; the attacker connects directly to the named pipe and invokes the privileged interface without any user involvement.

  • Attack complexityDetail

    The exploit is reliable and condition-free: no race conditions, memory-layout dependencies, or other environmental factors are required to invoke the exposed update methods.

Blast Radius

  • Writes arbitrary files anywhere on the local filesystem under NT AUTHORITY\SYSTEM privileges, including overwriting security-critical executables or configuration files.
  • Deletes arbitrary files on the local filesystem as SYSTEM, allowing removal of audit logs, security tooling, or OS-level binaries.
  • Leverages file write primitives to plant malicious binaries in auto-start locations, achieving persistent code execution as SYSTEM on the affected host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-11858 as of publication, HarborGuard monitors the Quanos advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth evaluating include restricting named pipe access via local security policy or AppLocker rules to limit which accounts can connect to the ST4 update service pipe, applying least-privilege principles to ensure the service account scope is minimized where possible, and using host-based integrity monitoring to alert on unexpected file writes originating from the SYSTEM account. HarborGuard will surface the patched rebuild and re-score affected findings as soon as Quanos publishes a fix version.

See how HarborGuard automates this
Affected packages
  • Quanos Solutions GmbH / SCHEMA ST4
    SCHEMA ST4 on-premises, all versions
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References