CVE-2026-57919: Privilege Escalation in Matrix42 Empirum Personal Backup via Insecure Named Pipe Permissions and Untrusted Search Path
Explore the details of CVE-2026-57919, highlighting a privilege escalation vulnerability in Empirum Personal Backup and its implications.
Table of Contents
Summary
PBackupVSS.exe in Matrix42 Empirum creates a named pipe (\\\\.\\pipe\\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.
Supported Products Overview
| Product | Version | Status |
|---|---|---|
| Empirum Personal Backup | 25.4 | Affected |
| Empirum Personal Backup | 26.1 | Affected |
| Empirum Personal Backup | 25.5 | Fixed |
| Empirum Personal Backup | 26.2 | Fixed |
Technical Details
The issue is caused by insecure access control on a named pipe:
\\.\pipe\PBackupVSS
- Overly permissive DACL
- Authenticated users have read/write access (CWE-276)
- Exploitation via crafted IPC messages
- Privilege escalation via untrusted search path (CWE-426)
Impact
- Privilege escalation to SYSTEM
- Arbitrary code execution
- Full system compromise
CVSS
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HBase Score: 7.8 (HIGH)
Mitigation
- Apply the hotfix addressing PRB39539
- Update to Empirum 25.5 or later
- Update to Empirum 26.2 or later
Credits
Finder: Steffen Rogge, NVISO GmbH
Support
For further assistance, please contact Matrix42 Support.