Platform
windows
Component
barracuda-rmm
Opgelost in
2025.2.2
CVE-2026-22676 describes a privilege escalation vulnerability discovered in Barracuda RMM. This flaw allows a local attacker to elevate their privileges to SYSTEM level, granting them complete control over the affected system. The vulnerability impacts Barracuda RMM versions prior to 2025.2.2 and has been resolved with the release of version 2025.2.2.
CVE-2026-22676 in Barracuda RMM versions prior to 2025.2.2 presents a privilege escalation vulnerability allowing local attackers to gain SYSTEM-level privileges. This is due to overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files within this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle. Successful exploitation of this vulnerability could allow an attacker to fully compromise the system, access sensitive data, and execute malicious code with the highest privileges.
This vulnerability requires local access to the Barracuda RMM system. An attacker with local access could be a malicious insider or an attacker who has already compromised the system through another vector. Exploitation is relatively straightforward once local access is obtained, as it involves simply placing a malicious file in the C:\Windows\Automation directory. Execution under the SYSTEM account provides the attacker with complete control over the affected system. The lack of authentication or authorization to write to this directory is the root cause of the vulnerability.
Organizations utilizing Barracuda RMM for remote monitoring and management, particularly those with legacy configurations or inadequate access controls, are at significant risk. Environments where local administrator access is not strictly controlled or where automation tasks are not regularly reviewed are especially vulnerable. Shared hosting environments utilizing Barracuda RMM also pose a heightened risk due to the potential for cross-tenant exploitation.
• windows / supply-chain:
Get-Acl "C:\Windows\Automation" | Format-List |
Get-ChildItem -Path "C:\Windows\Automation\*" -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, LastWriteTime, Length• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*Automation*'} |
Select-Object TaskName, State, LastRunTime• windows / supply-chain:
Get-WinEvent -LogName System -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-PowerShell']]]" -MaxEvents 100disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The solution to mitigate CVE-2026-22676 is to upgrade Barracuda RMM to version 2025.2.2 or later. This update corrects the incorrect permission configuration within the C:\Windows\Automation directory, restricting unauthorized access. It is recommended to apply this update as soon as possible to reduce the risk of exploitation. As an additional measure, review existing permissions on the C:\Windows\Automation directory on systems that cannot be upgraded immediately and ensure that only authorized users and processes have write access. Monitor system logs for any unusual activity related to the automation directory.
Actualice Barracuda RMM a la versión 2025.2.2 o posterior para mitigar la vulnerabilidad. Esta actualización corrige los permisos de archivo inseguros en el directorio C:\Windows\Automation, previniendo la escalada de privilegios.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-22676 is a HIGH severity vulnerability in Barracuda RMM versions prior to 2025.2.2 that allows local attackers to gain SYSTEM privileges by exploiting overly permissive filesystem ACLs.
You are affected if you are running Barracuda RMM versions 0.0.0–2025.2.2. Upgrade to 2025.2.2 to mitigate the risk.
Upgrade Barracuda RMM to version 2025.2.2 or later. As a temporary workaround, restrict access to the C:\Windows\Automation directory.
Currently, there is no confirmed active exploitation of CVE-2026-22676, and no public proof-of-concept code is available.
Refer to the official Barracuda Networks security advisory for CVE-2026-22676 on their website (check Barracuda's security advisories page).
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.