CVE-2026-2123

High

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2123 is a high-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Microfocus Operations Agent. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-34 (Non-modifiable Executable Programs) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match

prevent

Prevents the Operations Agent from executing binaries from writable locations by restricting execution to non-modifiable executable programs.

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patches directly corrects the privilege escalation vulnerability stemming from improper execution path validation.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the Operations Agent process, limiting the potential impact and scope of any privilege escalation from executed code in writable directories.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local privilege escalation via agent executing binaries from insecure writable paths directly matches T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting this vulnerability

Deeper analysisAI

CVE-2026-2123 is a privilege escalation vulnerability affecting Operations Agent versions 12.29 and earlier on Windows. A security audit identified that under specific conditions, the Operations Agent may execute binaries from certain writable locations, enabling unauthorized elevation of privileges. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-280: Improper Handling of Insufficient Privileges or Ownership Validation. It was reported by Manuel Rickli and Philippe Leiser of Oneconsult AG.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves leveraging the agent's behavior to run executables from writable directories, potentially achieving high impacts on confidentiality, integrity, and availability through privilege escalation.

The vendor advisory, available at https://portal.microfocus.com/s/article/KM000046068, details mitigation steps and patches for addressing the vulnerability in affected Operations Agent installations.