Cyber Resilience

CVE-2026-2123

High

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 1.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2123 is a high-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Microfocus Operations Agent. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-34 (Non-modifiable Executable Programs) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2123 is a privilege escalation vulnerability affecting Operations Agent versions 12.29 and earlier on Windows. A security audit identified that under specific conditions, the Operations Agent may execute binaries from certain writable locations, enabling unauthorized elevation of privileges. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-280: Improper Handling of Insufficient Privileges or Ownership Validation. It was reported by Manuel Rickli and Philippe Leiser of Oneconsult AG.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves leveraging the agent's behavior to run executables from writable directories, potentially achieving high impacts on confidentiality, integrity, and availability through privilege escalation.

The vendor advisory, available at https://portal.microfocus.com/s/article/KM000046068, details mitigation steps and patches for addressing the vulnerability in affected Operations Agent installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting this vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local privilege escalation via agent executing binaries from insecure writable paths directly matches T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-51459Same product: Microsoft Windows
CVE-2026-27910Same vendor: Microsoft
CVE-2026-20817Same vendor: Microsoft
CVE-2025-7024Same product: Microsoft Windows
CVE-2026-8510Same product: Microsoft Windows
CVE-2026-7432Same product: Microsoft Windows
CVE-2026-9890Same product: Microsoft Windows
CVE-2026-9937Same product: Microsoft Windows
CVE-2026-7911Same product: Microsoft Windows
CVE-2026-7994Same product: Microsoft Windows

Affected Assets

microfocus
operations agent
12.22 — 12.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prevents the Operations Agent from executing binaries from writable locations by restricting execution to non-modifiable executable programs.

prevent

Timely flaw remediation through vendor patches directly corrects the privilege escalation vulnerability stemming from improper execution path validation.

prevent

Enforces least privilege on the Operations Agent process, limiting the potential impact and scope of any privilege escalation from executed code in writable directories.

References