CVE-2026-3000

Critical

Published: 02 March 2026

Published

02 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3000 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Changingtec Idexpert. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing the specific RCE vulnerability in the IDExpert Windows Logon Agent by applying vendor patches.

SI-7 Software, Firmware, and Information Integrity good match

prevent

SI-7 enforces software and information integrity verification, mitigating CWE-494 by ensuring downloaded DLLs are checked for integrity before execution.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 deploys malicious code protection mechanisms to scan, detect, and block the arbitrary malicious DLLs downloaded and executed via the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution by forcing download and execution of arbitrary DLLs in a network-accessible Windows service, directly mapping to exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary DLL files from a remote source and execute them.

Deeper analysisAI

CVE-2026-3000 is a remote code execution vulnerability in the IDExpert Windows Logon Agent developed by Changing. It allows unauthenticated remote attackers to force affected systems to download arbitrary DLL files from a remote source and execute them. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-494 (Download of Code Without Integrity Check). It was published on 2026-03-02.

Unauthenticated attackers with network access can exploit this vulnerability without user interaction or privileges. By leveraging the flaw, they can remotely trigger the download and execution of malicious DLLs, achieving full remote code execution on the target system with high confidentiality, integrity, and availability impacts.

Mitigation details are available in advisories from the vendor and related organizations, including Changing's announcement at https://www.changingtec.com/news_detail.jsp?item_id=348 and TWCERT reports at https://www.twcert.org.tw/en/cp-139-10741-daed4-2.html and https://www.twcert.org.tw/tw/cp-132-10740-b2eb2-1.html. Security practitioners should consult these references for patch information and remediation guidance.