Cyber Resilience

CVE-2026-53476

Critical

Published: 10 June 2026

Published
10 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 20.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-53476 is a critical-severity Link Following (CWE-59) vulnerability in Kubev2V Assisted Migration Agent. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files…

more

to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Path traversal in LAN-accessible service allows unauthenticated arbitrary file write via crafted archive, directly enabling remote service exploitation to achieve code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

kubev2v
assisted migration agent
≤ 2026-06-07

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References