CVE-2026-4606

CRITICAL EPSS 21.5%

Published Mar 23, 20263mo ago · Modified Jun 17, 20261w ago

10.0 CVSS 4.0

Critical

Published Mar 23, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system. During installation, ERM creates a Windows service that runs under the LocalSystem account. When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user. Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories. Any ERM function invoking Windows file open/save dialogs exposes the same risk. This vulnerability allows local privilege escalation and may result in full system compromise.

CVSS Details

Base Score

10.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:I/V:C/RE:M/U:Green

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope N

Threat Intelligence

EPSS Exploit Probability

21.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-250

References 1

https https://https://www.geovision.com.tw/cyber_security.php

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.