CVE-2026-0539 Overview
CVE-2026-0539 is a local privilege escalation vulnerability affecting the pcvisit service binary on Windows systems. The vulnerability stems from incorrect default permissions (CWE-276) that allow a low-privileged local attacker to overwrite the service binary with arbitrary contents. Since the pcvisit service binary is automatically launched with NT\SYSTEM privileges during system boot, an attacker who successfully exploits this vulnerability can achieve complete system compromise with the highest level of Windows privileges.
Critical Impact
Low-privileged local users can escalate to NT\SYSTEM privileges by replacing the pcvisit service binary, enabling full system compromise on affected Windows hosts.
Affected Products
- pcvisit versions after 22.6.22.1329 up to (but not including) 25.12.3.1745
- pcvisit Remote Desktop Software for Windows
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-0539 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-0539
Vulnerability Analysis
This vulnerability is classified as Incorrect Default Permissions (CWE-276), a configuration flaw that occurs when software is installed with overly permissive file system permissions. In the case of pcvisit, the service binary is installed with permissions that allow non-administrative users to modify or replace the executable file.
The impact of this vulnerability is significant because Windows services running under the NT\SYSTEM account have unrestricted access to the local system. An attacker who can replace the service binary can execute arbitrary code with these elevated privileges the next time the system boots or the service restarts.
Root Cause
The root cause of CVE-2026-0539 lies in the installation routine of pcvisit, which fails to properly restrict write access to the service binary. By default, Windows services should have their executable files protected with Access Control Lists (ACLs) that prevent modification by non-administrative users. The pcvisit installer did not implement these security controls correctly, leaving the service binary writable by low-privileged users on the system.
Attack Vector
The attack vector for this vulnerability requires local access to the target system. An attacker with a low-privileged account can exploit this vulnerability through the following process:
- Identify the location of the pcvisit service binary on the file system
- Verify that the current user has write permissions to the binary file
- Replace the legitimate service binary with a malicious payload
- Wait for the system to reboot or trigger a service restart
- The malicious payload executes with NT\SYSTEM privileges
This vulnerability is particularly dangerous in environments where multiple users share access to workstations or in scenarios where attackers have already gained initial access through other means and seek to escalate privileges.
Detection Methods for CVE-2026-0539
Indicators of Compromise
- Unexpected modifications to the pcvisit service binary file (check file hash against known good values)
- Changes to file timestamps on the pcvisit executable without corresponding software updates
- Service crash events or failures during system boot related to pcvisit services
- Unusual processes spawning from the pcvisit service execution context
Detection Strategies
- Monitor file integrity of Windows service binaries, particularly for pcvisit installations
- Implement file integrity monitoring (FIM) solutions to alert on unauthorized changes to service executables
- Review Windows Security Event logs for file modification events (Event ID 4663) targeting the pcvisit service binary
- Deploy endpoint detection and response (EDR) solutions to identify privilege escalation attempts
Monitoring Recommendations
- Configure SentinelOne to monitor for unauthorized binary replacements in service directories
- Enable auditing for object access on critical service binaries through Windows Local Security Policy
- Implement baseline comparisons for service binary hashes during routine security scans
- Monitor for unusual service behavior or unexpected child processes from the pcvisit service
How to Mitigate CVE-2026-0539
Immediate Actions Required
- Update pcvisit to version 25.12.3.1745 or later immediately
- Audit file permissions on the pcvisit service binary to ensure only administrators have write access
- Verify the integrity of existing pcvisit installations by comparing file hashes against known good values
- Monitor systems for signs of exploitation until patching is complete
Patch Information
The vulnerability has been addressed in pcvisit version 25.12.3.1745. Organizations should update to this version or later to remediate the vulnerability. For detailed release information, refer to the PCVisit Release Notes. Additional technical details about the vulnerability can be found in the Infoguard Advisory for CVE-2026-0539.
Workarounds
- Manually correct the file permissions on the pcvisit service binary to restrict write access to Administrators only
- Implement application whitelisting to prevent unauthorized binaries from executing
- Consider temporarily disabling the pcvisit service on high-risk systems until patching can be completed
- Use Windows Software Restriction Policies or AppLocker to prevent unauthorized executable modifications
# Example: Fix file permissions on Windows (run as Administrator in PowerShell)
# Replace <path_to_pcvisit_binary> with the actual installation path
icacls "<path_to_pcvisit_binary>" /reset
icacls "<path_to_pcvisit_binary>" /grant:r "BUILTIN\Administrators:(F)" /grant:r "NT AUTHORITY\SYSTEM:(F)"
icacls "<path_to_pcvisit_binary>" /inheritance:r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
