How is CVE-2026-9789 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient to connect to the Named Pipe and issue commands. Victim interaction (not-required): No victim interaction is needed; the attacker operates entirely through their own session. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout requirements are necessary.

What is the impact of CVE-2026-9789?

Deletes arbitrary files on the host with SYSTEM authority, including protected OS binaries and security tooling. Overwrites or removes authentication-related files, enabling persistent unauthorized access or account takeover. Disrupts running services by deleting their dependencies or configuration files, causing denial of service. Facilitates further privilege escalation by removing access-control enforcement files or audit logs.

Back to search

HIGHCVE-2026-9789Published 2026-05-28Modified 2026-05-28CNA Acer

CVE-2026-9789: NitroSense V3: Security Vulnerability Information

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A local privilege escalation vulnerability affects Acer NitroSense software versions up to and including 3.01.3052. The PSAdminAgent service creates a Named Pipe with a weak access control list, allowing any authenticated local user to connect and issue commands without privilege checks. Successful exploitation lets a low-privileged local user delete arbitrary files with SYSTEM-level authority, enabling tampering with protected system files, persistent access, or denial of service. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected NitroSense software.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.5 (High) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient to connect to the Named Pipe and issue commands.
Victim interactionNot required
No victim interaction is needed; the attacker operates entirely through their own session.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout requirements are necessary.

Blast Radius

Deletes arbitrary files on the host with SYSTEM authority, including protected OS binaries and security tooling.
Overwrites or removes authentication-related files, enabling persistent unauthorized access or account takeover.
Disrupts running services by deleting their dependencies or configuration files, causing denial of service.
Facilitates further privilege escalation by removing access-control enforcement files or audit logs.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9789 is active and matches against all customer images containing the affected NitroSense software. Because Acer has not yet published a patched release, HarborGuard monitors the advisory on every ingest cycle. The moment a fix version is published upstream, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, the pipeline will trigger the rebuild, execute a regression test run, and open a PR against affected workloads without manual intervention. In the interim, compensating controls worth evaluating include restricting local user account access on hosts running NitroSense, applying least-privilege policies to limit which accounts can interact with Named Pipe endpoints, and using host-level audit tooling to flag unexpected file deletions originating from the PSAdminAgent service.

See how HarborGuard automates this

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Acer / NitrorSense V3
≤ 3.01.3052

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com