CVE-2023-26077 Overview
CVE-2023-26077 affects the Atera Agent through version 1.8.3.6 on Windows. The agent creates a temporary file in a directory configured with insecure permissions. A local attacker with low privileges can manipulate this file to influence agent behavior running under a higher-privileged context. The weakness is classified as Incorrect Default Permissions [CWE-276]. Mandiant disclosed the issue under advisory MNDT-2023-0008.
Critical Impact
Local attackers can leverage insecure temporary file permissions to escalate privileges on Windows hosts running vulnerable Atera Agent builds, gaining high impact on confidentiality, integrity, and availability.
Affected Products
- Atera Agent through version 1.8.3.6
- Microsoft Windows operating systems hosting the Atera Agent
- Endpoints managed by Atera remote monitoring deployments
Discovery Timeline
- 2023-07-24 - CVE-2023-26077 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-26077
Vulnerability Analysis
The Atera Agent runs on Windows endpoints and performs remote monitoring and management tasks with elevated privileges. During operation, the agent creates a temporary file in a directory that grants write access to non-administrative users. Because the parent directory permissions are too permissive, any local user can place, modify, or replace files in that path. When the agent later operates on the file under a privileged context, the attacker influences the resulting action.
This class of weakness is tracked as Incorrect Default Permissions [CWE-276]. The vulnerability requires local access and low privileges. No user interaction is needed. The attack complexity is low because the directory location and file naming are predictable across installations.
Root Cause
The root cause is improper access control on a directory used by the agent for transient files. The directory inherits or is created with an Access Control List (ACL) that permits write access to standard users. The agent does not validate ownership or restrict permissions on the temporary file before consuming it.
Attack Vector
An attacker authenticated as a low-privileged local user stages a malicious file or symbolic link in the writable directory before the agent reads or executes the temporary content. When the privileged agent process operates on the planted file, the attacker gains code execution or file manipulation in the SYSTEM context. See the Mandiant Advisory MNDT-2023-0008 for additional technical context.
No verified proof-of-concept code is published for CVE-2023-26077.
Refer to the Mandiant advisory for exploitation details.
Detection Methods for CVE-2023-26077
Indicators of Compromise
- Unexpected files or symbolic links created by non-administrative users in directories used by the Atera Agent for temporary storage
- New SYSTEM-level processes spawned by AteraAgent.exe shortly after low-privileged file write events
- Modifications to agent-owned files where the file owner does not match the agent service account
Detection Strategies
- Audit Windows file system events for write operations performed by non-privileged users in Atera Agent working directories
- Correlate process creation events under AteraAgent.exe with prior file creation events from standard user tokens
- Hunt for symbolic link or junction creation in agent-controlled paths using Sysmon event ID 11 and 15
Monitoring Recommendations
- Enable Windows object access auditing on directories used by third-party monitoring agents
- Forward endpoint telemetry to a centralized analytics platform for correlation between user-context file writes and privileged process activity
- Track installed Atera Agent versions across the fleet and alert on hosts still running builds at or below 1.8.3.6
How to Mitigate CVE-2023-26077
Immediate Actions Required
- Inventory all Windows endpoints running the Atera Agent and identify versions at or below 1.8.3.6
- Upgrade affected agents to a fixed release published by Atera
- Restrict interactive logon on systems where the agent runs with SYSTEM privileges to reduce local attacker exposure
Patch Information
Upgrade the Atera Agent to a version later than 1.8.3.6. Consult Atera Security Resources and the Mandiant Vulnerability Disclosures repository for advisory references and remediation guidance.
Workarounds
- Apply restrictive ACLs to the agent's temporary directory so only SYSTEM and administrators retain write access until a patched version is deployed
- Limit the number of standard users with interactive access to servers and workstations running the agent
- Monitor and alert on file creation in the agent's working directories performed by accounts other than the agent service account
# Example PowerShell to inspect ACLs on a suspect directory
Get-Acl "C:\ProgramData\Atera Networks" | Format-List
# Remove inherited write permissions for non-admin users
icacls "C:\ProgramData\Atera Networks" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
