CVE-2026-2627 Overview
A security flaw has been discovered in Softland FBackup up to version 9.9. This vulnerability impacts an unknown function in the library C:\Program Files\Common Files\microsoft shared\ink\HID.dll of the component Backup/Restore. The manipulation results in a link following vulnerability (CWE-59). The attack needs to be approached locally, requiring an attacker to have local access to the target system. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
Local attackers with low privileges can exploit this link following vulnerability to achieve high impact on confidentiality, integrity, and availability of the affected system. Public exploit code is available, increasing the risk of active exploitation.
Affected Products
- Softland FBackup versions up to 9.9
- Softland FBackup Backup/Restore component
- Systems with C:\Program Files\Common Files\microsoft shared\ink\HID.dll library
Discovery Timeline
- 2026-02-17 - CVE-2026-2627 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2627
Vulnerability Analysis
This vulnerability is classified as a link following vulnerability (CWE-59), also known as a symlink attack. Link following vulnerabilities occur when an application follows symbolic links or hard links without properly validating the target, potentially allowing an attacker to redirect file operations to unintended locations on the filesystem.
In the case of CVE-2026-2627, the Softland FBackup application's Backup/Restore component improperly handles symbolic links during file operations. The vulnerability specifically involves the HID.dll library located at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. An attacker with local access can exploit this flaw by creating malicious symbolic links that cause the backup software to read from or write to arbitrary locations on the filesystem.
The local attack vector means an attacker must have existing access to the target system. Once exploited, the vulnerability can lead to complete compromise of confidentiality, integrity, and availability on the local system.
Root Cause
The root cause of this vulnerability lies in insufficient validation of symbolic links and junction points during the backup and restore operations performed by FBackup. The application fails to properly verify whether file paths being processed resolve to legitimate targets or have been manipulated through filesystem symlinks. This allows attackers to abuse the application's elevated privileges during backup/restore operations to access or modify files outside the intended scope.
Attack Vector
The attack requires local access to the target system. An attacker can exploit this vulnerability by:
- Creating a symbolic link or junction point that redirects legitimate file paths to attacker-controlled or sensitive system locations
- Triggering a backup or restore operation that traverses the malicious link
- Leveraging the application's permissions to read sensitive data (confidentiality breach), overwrite critical files (integrity breach), or corrupt system files (availability breach)
The public availability of exploit code for this vulnerability, as referenced in the GitHub PoC Repository, makes this attack accessible to adversaries with limited technical expertise.
Detection Methods for CVE-2026-2627
Indicators of Compromise
- Unexpected symbolic links or junction points in directories commonly accessed by FBackup
- Unusual file access patterns involving C:\Program Files\Common Files\microsoft shared\ink\HID.dll
- Evidence of FBackup processes accessing files outside normal backup directories
- Modifications to system files coinciding with backup/restore operations
Detection Strategies
- Monitor for creation of symbolic links in FBackup working directories using Sysmon Event ID 11 (FileCreate) with junction point indicators
- Implement file integrity monitoring (FIM) on critical system directories that should not be accessed during backup operations
- Track process behavior for fbackup.exe and related processes accessing unexpected file paths
- Deploy SentinelOne Singularity to detect anomalous file system access patterns indicative of symlink exploitation
Monitoring Recommendations
- Enable Windows audit policies for object access, specifically file system and handle manipulation events
- Configure alerts for junction point or symbolic link creation in sensitive directories
- Monitor backup/restore operations for access to files outside designated backup source/destination paths
- Implement behavioral analysis to detect privilege escalation attempts leveraging backup software
How to Mitigate CVE-2026-2627
Immediate Actions Required
- Restrict local access to systems running affected versions of FBackup to trusted users only
- Review and remove any suspicious symbolic links in directories accessed by FBackup
- Consider temporarily disabling FBackup until a patch is available or until workarounds are implemented
- Monitor systems for signs of exploitation using the detection strategies outlined above
Patch Information
No official patch is currently available from Softland. According to the vulnerability disclosure, the vendor was contacted early about this issue but did not respond. Organizations should monitor VulDB and Softland's official channels for patch availability. In the absence of an official fix, implementing the workarounds below is strongly recommended.
Workarounds
- Implement application allowlisting to prevent unauthorized creation of symbolic links in FBackup directories
- Configure Windows policies to restrict symlink creation to administrators only using SeCreateSymbolicLinkPrivilege
- Run FBackup with minimum required privileges and avoid running as SYSTEM or Administrator when possible
- Consider using alternative backup solutions until the vendor addresses this vulnerability
# Configuration example
# Restrict symbolic link creation to Administrators only (Windows policy)
# Run in elevated PowerShell or configure via Group Policy
# Check current symlink privilege assignment
whoami /priv | findstr SeCreateSymbolicLinkPrivilege
# Verify FBackup service account permissions
icacls "C:\Program Files\Softland\FBackup 9" /T
# Monitor for junction points in common backup directories
dir /AL /S "C:\Backup"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
