CVE-2026-28267: i-Filter Privilege Escalation Vulnerability

CVE-2026-28267 Overview

CVE-2026-28267 affects multiple i-フィルター (i-Filter) products distributed by Digital Arts Inc. (DAJ). The products are installed with improper file access permission settings on their system and backup directories. A non-administrative local user can create or overwrite files in these directories. The flaw is categorized as Incorrect Default Permissions [CWE-276].

Successful abuse allows a low-privileged user to plant or replace files used by the filtering software. This can lead to integrity loss and serve as a stepping stone for privilege escalation when a higher-privileged process later loads the attacker-controlled file.

Critical Impact

A local, low-privileged user can write to protected i-フィルター directories, enabling file replacement attacks that target the integrity of the web filtering software.

Affected Products

• Multiple i-フィルター (i-Filter) endpoint products from Digital Arts Inc.
• i-フィルター components bundled in Fujitsu and Optim distributions
• i-フィルター components referenced in Mobi-Connect deployments

Discovery Timeline

• 2026-03-10 - CVE-2026-28267 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-28267

Vulnerability Analysis

The vulnerability is an Incorrect Default Permissions weakness [CWE-276]. During installation, i-フィルター products configure access control lists (ACLs) on the system and backup directories that grant write permissions to standard users. Files within these directories are intended to be modified only by administrators or by the product's privileged services.

Because the directories inherit overly permissive ACLs, any interactive user on the host can drop new files or overwrite existing ones. The attack requires local access and low privileges, with no user interaction. The scope is limited to integrity impact on the affected installation, not confidentiality or availability of unrelated resources.

While the vulnerability itself does not directly execute code, file replacement primitives in privileged installation paths are a well-known route to privilege escalation. An attacker who can stage a malicious DLL, configuration file, or executable in a directory later read by a SYSTEM-level service can achieve code execution at that privilege level.

Root Cause

The root cause is the installer's failure to apply restrictive ACLs to the product's system and backup directories. Inherited permissions from the parent path or explicit grants to the Users group allow non-administrative principals to write into directories that should be administrator-only.

Attack Vector

Exploitation requires an authenticated local user on a system with an affected i-フィルター product installed. The user navigates to the writable system or backup directory and creates or overwrites files used by the product. No network access or user interaction is required.

No verified public proof-of-concept code is available. The vulnerability mechanism is described in the JVN Security Advisory and the DAJ Information Document 1.

Detection Methods for CVE-2026-28267

Indicators of Compromise

• Unexpected file creation or modification events in i-フィルター system and backup directories by non-administrative accounts.
• New executables, DLLs, or configuration files appearing in the product installation path outside of vendor update windows.
• Service or process restarts of i-フィルター components immediately following file writes by a standard user.

Detection Strategies

• Audit Windows Security event IDs 4663 and 4670 for write and ACL-change operations on i-フィルター directories.
• Compare current directory ACLs to a known-good baseline using icacls or PowerShell Get-Acl.
• Hash the contents of the installation and backup directories and alert on changes that do not correlate with vendor updates.

Monitoring Recommendations

• Enable file system object access auditing on the i-フィルター installation root and backup paths.
• Forward endpoint file integrity telemetry to a centralized SIEM or data lake for correlation with process ancestry.
• Alert when a non-elevated process writes to a directory whose contents are later loaded by a SYSTEM-context service.

How to Mitigate CVE-2026-28267

Immediate Actions Required

• Inventory all endpoints running i-フィルター products and confirm version against the fixed releases listed by Digital Arts Inc.
• Apply the vendor-provided update referenced in the JVN Security Advisory as soon as it is available in your change window.
• Restrict interactive local logon on hosts running i-フィルター to trusted administrative users where business policy allows.

Patch Information

Digital Arts Inc. has published remediation guidance through JVN and through its own product information documents. Refer to the JVN Security Advisory, the DAJ Information Document 1, and the DAJ Information Document 2 for the affected version list and update procedure. Fujitsu has published companion guidance in its Fujitsu KB Article.

Workarounds

• Manually tighten ACLs on the i-フィルター system and backup directories to remove write access for the Users and Authenticated Users groups.
• Limit the number of standard users who can log on interactively to hosts running the affected products.
• Monitor the protected directories with file integrity tooling until the official patch is deployed.

# Example: remove inherited write permissions and grant write only to Administrators and SYSTEM
icacls "C:\Program Files\Digital Arts\i-Filter" /inheritance:r
icacls "C:\Program Files\Digital Arts\i-Filter" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"