Cyber Resilience

CVE-2026-26722

CriticalPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0033 24.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26722 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26722 is a privilege escalation vulnerability affecting Key Systems Inc Global Facilities Management Software version 20230721a. The issue lies in the PIN component of the login functionality, where an attacker can exploit improper privilege management (CWE-269) to elevate their access rights. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.

A remote attacker requires no prior privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables privilege escalation, granting high-impact disruption to system integrity and availability while allowing low-impact access to confidential data, potentially compromising the facility management system's controls.

Details on the vulnerability, including disclosure information, are available in the GitHub repository at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26722. No specific patch or mitigation guidance is provided in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote privilege escalation via exploitation of login PIN component in network-accessible facilities management software directly enables T1068 and facilitates initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26724Same product: Keystorage Global Facilities Management Software
CVE-2026-26723Same product: Keystorage Global Facilities Management Software
CVE-2026-26721Same product: Keystorage Global Facilities Management Software
CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2026-2631Shared CWE-269
CVE-2025-13542Shared CWE-269
CVE-2025-13563Shared CWE-269

Affected Assets

keystorage
global facilities management software
20230721a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Employs least privilege to ensure users and processes have only necessary access rights, directly mitigating privilege escalation via the PIN login component.

prevent

Enforces approved authorizations for access to system resources, preventing improper privilege elevation in the login functionality.

prevent

Manages accounts including privilege assignments, reducing risk of improper privilege management exploited in the PIN component.

References