CVE-2026-2627
Published: 17 February 2026
Summary
CVE-2026-2627 is a high-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, prioritization, and remediation of the improper link following flaw in Softland FBackup's Backup/Restore component via patching, workarounds, or removal given the vendor's lack of response.
Enforces an allowlist of approved software, preventing execution of vulnerable FBackup versions susceptible to local symlink-based privilege escalation.
Regular vulnerability scanning detects systems running unpatched Softland FBackup up to version 9.9 affected by CVE-2026-2627.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local symlink-following flaw (CWE-59) in FBackup directly enables arbitrary file access/modification/execution with elevated privileges from low-privileged local context, mapping to Exploitation for Privilege Escalation.
NVD Description
A security flaw has been discovered in Softland FBackup up to 9.9. This impacts an unknown function in the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the component Backup/Restore. The manipulation results in link following. The attack needs to be approached…
more
locally. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2627 is a security vulnerability in Softland FBackup versions up to 9.9, affecting an unknown function within the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the Backup/Restore component. The flaw involves improper link following, corresponding to CWE-59 (Improper Link Resolution Before File Access ('Link Following')), and was published on 2026-02-17.
The vulnerability requires local access with low privileges (AV:L/PR:L), low attack complexity (AC:L), and no user interaction (UI:N), yielding a CVSS v3.1 base score of 7.8 (High) due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A local attacker could manipulate the affected function to follow symbolic links, potentially leading to unauthorized file access, modification, or execution with elevated privileges.
VulDB advisories detail the issue and note that the vendor was contacted early for disclosure but provided no response. A proof-of-concept exploit is publicly available in the GitHub repository at https://github.com/thezdi/PoC/tree/main/FilesystemEoPs, which may enable real-world attacks.
The exploit has been released to the public, increasing the risk of exploitation on unpatched systems running vulnerable FBackup versions. No vendor patches or official mitigations are available.
Details
- CWE(s)