How is CVE-2026-32325 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing interface is required to trigger the vulnerability. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to begin the exploit chain. Victim interaction (not-required): No user interaction or social-engineering step is required; the attacker can execute the privilege escalation independently. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race timing, or memory-layout requirements.

What is the impact of CVE-2026-32325?

Escalates the attacker's session to SYSTEM, the highest privilege level on a Windows host, bypassing all user-mode access controls. Reads any file or credential material on the host, including secrets stored by the ServerView agent, OS credential stores, and application config files. Modifies or deletes system files, agent configuration, and persisted data, allowing tampering with monitoring data or sabotage of the host. Crashes or disables services on the host, including the ServerView agent itself, disrupting server health monitoring and alerting pipelines.

Back to search

HIGHCVE-2026-32325Published 2026-06-01Modified 2026-06-01CNA jpcert

CVE-2026-32325: Privilege chaining issue exists in ServerView Agents for Windows V11

Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege chaining vulnerability exists in ServerView Agents for Windows V11.60.04 and earlier, a server monitoring agent from Fsas Technologies. The vulnerability requires local access and a low-privilege account on the host; no network exposure is needed. Successful exploitation allows the attacker to escalate to SYSTEM privilege, giving full control over the affected Windows host. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including JPCERT advisories, within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built Windows container images running the affected agent version.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 4.0 8.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Fsas Technologies publishes a corrected version. In the interim, the finding remains open and flagged at HIGH severity in the customer dashboard.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing interface is required to trigger the vulnerability.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or elevated credentials to begin the exploit chain.
Victim interactionNot required
No user interaction or social-engineering step is required; the attacker can execute the privilege escalation independently.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race timing, or memory-layout requirements.

Blast Radius

Escalates the attacker's session to SYSTEM, the highest privilege level on a Windows host, bypassing all user-mode access controls.
Reads any file or credential material on the host, including secrets stored by the ServerView agent, OS credential stores, and application config files.
Modifies or deletes system files, agent configuration, and persisted data, allowing tampering with monitoring data or sabotage of the host.
Crashes or disables services on the host, including the ServerView agent itself, disrupting server health monitoring and alerting pipelines.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-32325 is active and matches any image carrying ServerView Agents for Windows at V11.60.04 or earlier. Because Fsas Technologies has not yet published a patched release, no rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will automatically queue a patched-image rebuild for affected environments the moment a fix version appears upstream. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, recommended compensating controls include restricting local login access to the servers running the agent to the minimum necessary set of accounts, auditing local group membership to prevent unauthorized low-privilege accounts from existing on those hosts, and applying host-based process-isolation or privilege-guard tooling where available. The advisory will remain open and visible at HIGH severity until a fix version is confirmed and the patched rebuild is validated.

See how HarborGuard automates this

Affected packages

Fsas Technologies Inc. / ServerView Agents for Windows
V11.60.04 and earlier

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified