Cyber Resilience

CVE-2026-2999

Critical

Published: 02 March 2026

Published
02 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2999 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Changingtec Idexpert. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2999 is a Remote Code Execution vulnerability affecting the IDExpert Windows Logon Agent developed by Changing. Published on 2026-03-02T07:16:22.743, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-494. The flaw enables unauthenticated remote attackers to force affected systems to download arbitrary executable files from a remote source and execute them.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing arbitrary code execution on the target system.

Mitigation details are outlined in advisories from the vendor at https://www.changingtec.com/news_detail.jsp?item_id=348 and from TWCERT at https://www.twcert.org.tw/en/cp-139-10741-daed4-2.html and https://www.twcert.org.tw/tw/cp-132-10740-b2eb2-1.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary executable files from a remote source and execute them.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution vulnerability in a network-exposed Windows service (Logon Agent) enables exploitation of a public-facing application to download and execute arbitrary code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3000Same product: Changingtec Idexpert
CVE-2025-57431Shared CWE-494
CVE-2026-27180Shared CWE-494
CVE-2026-40066Shared CWE-494
CVE-2024-50696Shared CWE-494
CVE-2025-69263Shared CWE-494
CVE-2025-15556Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2025-56513Shared CWE-494
CVE-2026-9089Shared CWE-494

Affected Assets

changingtec
idexpert
2.7.3.230719 — 2.8.4.250925

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely remediation through patching the flaw in the IDExpert Windows Logon Agent as per vendor advisories.

prevent

Prevents unauthenticated remote attackers from reaching the vulnerable logon agent service by monitoring and controlling communications at system boundaries.

preventdetect

Blocks or detects the arbitrary executable files downloaded and executed by the vulnerability through malicious code protection mechanisms like antivirus scanning.

References