Cyber Resilience

CVE-2026-4606

Critical

Published: 23 March 2026

Published
23 March 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:I/V:C/RE:M/U:Green
EPSS Score 0.0030 21.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4606 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Https: (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system. During installation, ERM creates a Windows service that runs under the LocalSystem account. When the…

more

ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user. Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories. Any ERM function invoking Windows file open/save dialogs exposes the same risk. This vulnerability allows local privilege escalation and may result in full system compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability description directly describes local privilege escalation to SYSTEM via excessive privileges on Windows service/processes and file dialogs (CWE-250).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Https:
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-250

Policy promotes least privilege by defining necessary privileges and management commitment to them.

addresses: CWE-250

Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights.

addresses: CWE-250

Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.

addresses: CWE-250

Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.

addresses: CWE-250

Directly prevents execution with more privileges than needed for assigned tasks.

addresses: CWE-250

Role-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges.

addresses: CWE-250

Analysis of audit records can identify execution with unnecessary privileges through unusual activity patterns.

addresses: CWE-250

Automatic termination after a defined period eliminates unnecessary privileges from persistent connections.

References