Cyber Resilience

CVE-2026-2627

High

Published: 17 February 2026

Published
17 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2627 is a high-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-2627 is a security vulnerability in Softland FBackup versions up to 9.9, affecting an unknown function within the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the Backup/Restore component. The flaw involves improper link following, corresponding to CWE-59 (Improper Link Resolution Before File Access ('Link Following')), and was published on 2026-02-17.

The vulnerability requires local access with low privileges (AV:L/PR:L), low attack complexity (AC:L), and no user interaction (UI:N), yielding a CVSS v3.1 base score of 7.8 (High) due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A local attacker could manipulate the affected function to follow symbolic links, potentially leading to unauthorized file access, modification, or execution with elevated privileges.

VulDB advisories detail the issue and note that the vendor was contacted early for disclosure but provided no response. A proof-of-concept exploit is publicly available in the GitHub repository at https://github.com/thezdi/PoC/tree/main/FilesystemEoPs, which may enable real-world attacks.

The exploit has been released to the public, increasing the risk of exploitation on unpatched systems running vulnerable FBackup versions. No vendor patches or official mitigations are available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Softland FBackup up to 9.9. This impacts an unknown function in the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the component Backup/Restore. The manipulation results in link following. The attack needs to be approached…

more

locally. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local symlink-following flaw (CWE-59) in FBackup directly enables arbitrary file access/modification/execution with elevated privileges from low-privileged local context, mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49739Shared CWE-59
CVE-2025-21419Shared CWE-59
CVE-2025-15310Shared CWE-59
CVE-2025-43220Shared CWE-59
CVE-2025-60710Shared CWE-59
CVE-2025-29795Shared CWE-59
CVE-2025-15319Shared CWE-59
CVE-2025-21391Shared CWE-59
CVE-2025-43257Shared CWE-59
CVE-2025-63946Shared CWE-59

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly mandates identification, prioritization, and remediation of the improper link following flaw in Softland FBackup's Backup/Restore component via patching, workarounds, or removal given the vendor's lack of response.

prevent

Enforces an allowlist of approved software, preventing execution of vulnerable FBackup versions susceptible to local symlink-based privilege escalation.

detect

Regular vulnerability scanning detects systems running unpatched Softland FBackup up to version 9.9 affected by CVE-2026-2627.

References