CVE-2026-22676
Published: 15 April 2026
Summary
CVE-2026-22676 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File System Permissions Weakness (T1044); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations including restrictive filesystem ACLs on directories like C:\Windows\Automation to block low-privileged local attackers from modifying or placing executable files.
Implements least privilege principle to restrict low-privileged users from accessing sensitive directories executed under NT AUTHORITY\SYSTEM.
Establishes and enforces secure configuration settings for filesystem permissions to prevent overly permissive ACLs on automation directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure directory ACLs (T1044) directly enable local attackers to stage code for SYSTEM execution, achieving privilege escalation (T1068).
NVD Description
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in…
more
this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.
Deeper analysisAI
CVE-2026-22676, published on 2026-04-15, is a privilege escalation vulnerability (CWE-732) in Barracuda RMM versions prior to 2025.2.2. The issue arises from overly permissive filesystem access control lists (ACLs) on the C:\Windows\Automation directory, allowing local attackers to modify existing automation content or place attacker-controlled files there. These files execute under the NT AUTHORITY\SYSTEM account during routine automation cycles. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability with minimal complexity (AC:L) and no user interaction. By writing to the vulnerable directory, the attacker can trigger execution of malicious code as SYSTEM in the next automation cycle, achieving high impacts on confidentiality, integrity, and availability.
Barracuda addresses the issue in the release notes for version 2025.2.2 (https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf), which security practitioners should review for patching details. Further technical analysis appears in the VulnCheck advisory (https://www.vulncheck.com/advisories/barracuda-rmm-privilege-escalation-via-insecure-directory-permissions). Updating to 2025.2.2 or later is the primary mitigation.
Details
- CWE(s)