Cyber Resilience

CVE-2026-27748

High

Published: 05 March 2026

Published
05 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27748 is a high-severity Link Following (CWE-59) vulnerability in Avira Internet Security. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27748 is an improper link resolution vulnerability (CWE-59) in the Software Updater component of Avira Internet Security. Published on 2026-03-05, it affects the update process where a privileged service running as SYSTEM deletes a file under C:\ProgramData without validating whether the path resolves through a symbolic link or reparse point. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential from local access.

A local attacker with low privileges can exploit this by creating a malicious symbolic link or reparse point that redirects the delete operation to an arbitrary file. This allows deletion of attacker-chosen files using SYSTEM privileges, potentially leading to local privilege escalation, denial of service, or system integrity compromise, depending on the targeted file and operating system configuration.

Mitigation details are referenced in the following advisories: https://support.avira.com/hc/en-us/articles/360010656158-Current-Avira-versions, https://www.avira.com/en/internet-security, and https://www.gendigital.com/us/en/contact-us/security-advisories/.

EU & UK References

Vulnerability details

Avira Internet Security contains an improper link resolution vulnerability in the Software Updater component. During the update process, a privileged service running as SYSTEM deletes a file under C:\\ProgramData without validating whether the path resolves through a symbolic link or…

more

reparse point. A local attacker can create a malicious link to redirect the delete operation to an arbitrary file, resulting in deletion of attacker-chosen files with SYSTEM privileges. This may lead to local privilege escalation, denial of service, or system integrity compromise depending on the targeted file and operating system configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vulnerability enables local arbitrary file deletion with SYSTEM privileges via symlink abuse, directly supporting exploitation for privilege escalation (T1068) and indicator removal via targeted file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27750Same product: Avira Internet Security
CVE-2026-27749Same product: Avira Internet Security
CVE-2025-60710Shared CWE-59
CVE-2026-42834Shared CWE-59
CVE-2025-21373Shared CWE-59
CVE-2026-2627Shared CWE-59
CVE-2025-21419Shared CWE-59
CVE-2025-15319Shared CWE-59
CVE-2025-41667Shared CWE-59
CVE-2026-25906Shared CWE-59

Affected Assets

avira
internet security
≤ 1.1.114.3113

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper link resolution flaw in the Software Updater by requiring identification, reporting, and timely correction of the vulnerability.

prevent

Requires validation of file paths prior to deletion operations to block resolution through symbolic links or reparse points exploited in this CVE.

prevent

Enforces least privilege on the SYSTEM-level updater service to limit the impact of redirected file deletions to non-critical locations.

References