Cyber Resilience

CVE-2026-6348

Critical

Published: 16 April 2026

Published
16 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6348 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-6348 is a Missing Authentication vulnerability (CWE-306) in the WinMatrix agent developed by Simopro Technology. This flaw affects the agent software, which is deployed for management purposes across environments. Published on 2026-04-16, it carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with relatively low barriers to exploitation.

The vulnerability enables authenticated local attackers with low privileges to execute arbitrary code with SYSTEM-level privileges. Exploitation occurs locally (AV:L) with low complexity and no user interaction required, but the scope is changed (S:C), allowing attackers to elevate privileges not only on the local machine but also across all hosts in the environment where the WinMatrix agent is installed. Successful exploitation grants full control, compromising confidentiality, integrity, and availability at a high level.

Advisories are available from TWCERT at https://www.twcert.org.tw/en/cp-139-10840-ba9b9-2.html and https://www.twcert.org.tw/tw/cp-132-10839-2d9a7-1.html, which detail the issue but do not specify mitigation steps in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a local missing authentication flaw in a management agent that allows low-privileged authenticated users to execute arbitrary code as SYSTEM, directly enabling T1068 Exploitation for Privilege Escalation with scope change to other hosts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48572Shared CWE-306
CVE-2026-26160Shared CWE-306
CVE-2026-24068Shared CWE-306
CVE-2026-24062Shared CWE-306
CVE-2026-33788Shared CWE-306
CVE-2018-25259Shared CWE-306
CVE-2026-20803Shared CWE-306
CVE-2026-0492Shared CWE-306
CVE-2026-26159Shared CWE-306
CVE-2025-24456Shared CWE-306

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the missing authentication vulnerability by identifying and prohibiting critical actions, such as arbitrary code execution, without identification and authentication in the WinMatrix agent.

prevent

Ensures the WinMatrix agent enforces approved authorizations, preventing low-privilege local attackers from executing arbitrary code with SYSTEM privileges.

prevent

Limits the scope and impact of privilege escalation from the missing authentication flaw by restricting the agent to least privilege necessary for its management functions across hosts.

References