Cyber Resilience

CVE-2026-22676

HighPublic PoCLPE

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 1.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22676 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-22676, published on 2026-04-15, is a privilege escalation vulnerability (CWE-732) in Barracuda RMM versions prior to 2025.2.2. The issue arises from overly permissive filesystem access control lists (ACLs) on the C:\Windows\Automation directory, allowing local attackers to modify existing automation content or place attacker-controlled files there. These files execute under the NT AUTHORITY\SYSTEM account during routine automation cycles. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with minimal complexity (AC:L) and no user interaction. By writing to the vulnerable directory, the attacker can trigger execution of malicious code as SYSTEM in the next automation cycle, achieving high impacts on confidentiality, integrity, and availability.

Barracuda addresses the issue in the release notes for version 2025.2.2 (https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf), which security practitioners should review for patching details. Further technical analysis appears in the VulnCheck advisory (https://www.vulncheck.com/advisories/barracuda-rmm-privilege-escalation-via-insecure-directory-permissions). Updating to 2025.2.2 or later is the primary mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in…

more

this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Insecure directory ACLs (T1044) directly enable local attackers to stage code for SYSTEM execution, achieving privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25343Shared CWE-732
CVE-2019-25344Shared CWE-732
CVE-2026-26101Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2025-21325Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2026-25112Shared CWE-732
CVE-2025-22454Shared CWE-732
CVE-2026-8110Shared CWE-732
CVE-2024-55411Shared CWE-732

Affected Assets

Barracuda RMM
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations including restrictive filesystem ACLs on directories like C:\Windows\Automation to block low-privileged local attackers from modifying or placing executable files.

prevent

Implements least privilege principle to restrict low-privileged users from accessing sensitive directories executed under NT AUTHORITY\SYSTEM.

prevent

Establishes and enforces secure configuration settings for filesystem permissions to prevent overly permissive ACLs on automation directories.

References