CVE-2026-26722

CriticalPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0022 44.1th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26722 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Employs least privilege to ensure users and processes have only necessary access rights, directly mitigating privilege escalation via the PIN login component.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, preventing improper privilege elevation in the login functionality.

AC-2 Account Management partial match

prevent

Manages accounts including privilege assignments, reducing risk of improper privilege management exploited in the PIN component.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote privilege escalation via exploitation of login PIN component in network-accessible facilities management software directly enables T1068 and facilitates initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.

Deeper analysisAI

CVE-2026-26722 is a privilege escalation vulnerability affecting Key Systems Inc Global Facilities Management Software version 20230721a. The issue lies in the PIN component of the login functionality, where an attacker can exploit improper privilege management (CWE-269) to elevate their access rights. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.

A remote attacker requires no prior privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables privilege escalation, granting high-impact disruption to system integrity and availability while allowing low-impact access to confidential data, potentially compromising the facility management system's controls.

Details on the vulnerability, including disclosure information, are available in the GitHub repository at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26722. No specific patch or mitigation guidance is provided in the CVE description.