Cyber Resilience

CVE-2026-1680

HighPublic PoCLPE

Published: 30 January 2026

Published
30 January 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1680 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Danofficeit Local Admin Service. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1680, published on 2026-01-30, is an improper access control vulnerability in the WCF endpoint of Edgemo (now owned by Danoffice IT) Local Admin Service version 1.2.7.23180 on Windows. The issue resides in the LocalAdminService.exe named pipe, which fails to enforce client-side group membership restrictions, enabling unauthorized privilege escalation.

A local user with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) by directly communicating with the named pipe. Successful exploitation allows the attacker to elevate privileges to local administrator, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is linked to CWE-250 and NVD-CWE-Other.

Mitigation details are outlined in advisories available at https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service/ and https://www.danofficeit.com/howwedoit/workplace/management/.

EU & UK References

Vulnerability details

Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing…

more

client-side group membership restrictions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of improper access control on a named pipe service endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58383Shared CWE-250
CVE-2025-22890Shared CWE-250
CVE-2025-57119Shared CWE-250
CVE-2024-21924Shared CWE-250
CVE-2024-49814Shared CWE-250
CVE-2026-0870Shared CWE-250
CVE-2025-40942Shared CWE-250
CVE-2024-48013Shared CWE-250
CVE-2026-3623Shared CWE-250
CVE-2026-25908Shared CWE-250

Affected Assets

danofficeit
local admin service
1.2.7.23180

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates enforcement of approved authorizations for access to system resources like named pipes, addressing the improper access control that bypasses group membership restrictions.

prevent

Employs least privilege to restrict processes like LocalAdminService.exe to minimal necessary access, limiting the impact of privilege escalation even if enforcement fails.

prevent

Requires timely identification, reporting, and correction of flaws such as this improper access control vulnerability in LocalAdminService.exe version 1.2.7.23180.

References