CVE-2026-57919: Privilege Escalation in Matrix42 Empirum Personal Backup via Insecure Named Pipe Permissions and Untrusted Search Path

Explore the details of CVE-2026-57919, highlighting a privilege escalation vulnerability in Empirum Personal Backup and its implications.

Summary

PBackupVSS.exe in Matrix42 Empirum creates a named pipe (\\\\.\\pipe\\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.

Supported Products Overview

Product Version Status
Empirum Personal Backup 25.4 Affected
Empirum Personal Backup 26.1 Affected
Empirum Personal Backup 25.5 Fixed
Empirum Personal Backup 26.2 Fixed

Technical Details

The issue is caused by insecure access control on a named pipe:

\\.\pipe\PBackupVSS

  • Overly permissive DACL
  • Authenticated users have read/write access (CWE-276)
  • Exploitation via crafted IPC messages
  • Privilege escalation via untrusted search path (CWE-426)

Impact

  • Privilege escalation to SYSTEM
  • Arbitrary code execution
  • Full system compromise

CVSS

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 7.8 (HIGH)

Mitigation

  • Apply the hotfix addressing PRB39539
  • Update to Empirum 25.5 or later
  • Update to Empirum 26.2 or later

Credits

Finder: Steffen Rogge, NVISO GmbH

Support

For further assistance, please contact Matrix42 Support.