CVE-2026-32325: ServerView Agents Privilege Escalation

CVE-2026-32325 Overview

CVE-2026-32325 is a privilege chaining vulnerability in ServerView Agents for Windows V11.60.04 and earlier. A local authenticated attacker who can log in to the server where the affected product is installed can chain privileges to obtain SYSTEM privilege. The weakness is categorized under [CWE-268] (Privilege Chaining) and requires local access with low privileges. Exploitation does not require user interaction. Once successful, the attacker gains full control of the host, including the ability to install drivers, disable security tooling, and access all data on the system.

Critical Impact

A low-privileged local user can escalate to SYSTEM, the highest privilege level on Windows, on any host running ServerView Agents V11.60.04 or earlier.

Affected Products

• ServerView Agents for Windows V11.60.04
• ServerView Agents for Windows versions prior to V11.60.04
• Windows servers with ServerView Agents installed for hardware monitoring

Discovery Timeline

• 2026-06-01 - CVE-2026-32325 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-32325

Vulnerability Analysis

The issue is a privilege chaining flaw [CWE-268] in ServerView Agents for Windows. Privilege chaining occurs when a process or user combines multiple legitimate privileges in a sequence that yields more authority than any single privilege grants on its own. In this case, the chain ends with the attacker holding the Windows SYSTEM token. The product runs components with elevated rights to perform hardware monitoring and management tasks. A local authenticated user can leverage these elevated components to execute actions or load code that runs under the agent's privileged context. The vulnerability is local-only and cannot be triggered remotely without prior access to an interactive or service session on the host.

Root Cause

The root cause is improper separation between privileged service operations and unprivileged caller input within ServerView Agents. Privileged operations exposed by the agent accept actions from lower-privileged contexts without sufficient enforcement, allowing an attacker to chain those actions into full SYSTEM execution. Refer to the JVN Security Advisory and the FSA Tech Security Resource for vendor-supplied technical detail.

Attack Vector

The attacker must already hold valid credentials and an interactive or remote session on the target server. From that session, the attacker invokes the privileged agent functionality and chains the granted privileges into arbitrary code execution under the SYSTEM account. No user interaction from another account is required, and no network access path exists to the vulnerable code.

No verified public exploit code is currently available. The vulnerability is described in prose only; see the vendor advisories for component-specific technical information.

Detection Methods for CVE-2026-32325

Indicators of Compromise

• Unexpected child processes spawned by ServerView Agents service binaries running as NT AUTHORITY\SYSTEM.
• New local administrator accounts or service installations following interactive logons by non-administrative users.
• Modifications to ServerView Agents configuration files or registry keys by non-administrative users.
• Anomalous cmd.exe, powershell.exe, or scripting host processes whose parent is a ServerView Agents component.

Detection Strategies

• Inventory all Windows servers running ServerView Agents and flag any at or below V11.60.04.
• Build an EDR rule that alerts when a privileged ServerView Agents process launches a shell, scripting interpreter, or unsigned binary.
• Correlate Windows Security event ID 4672 (special privileges assigned) with the parent process chain to identify token elevation paths originating from the agent.
• Hunt for process tree anomalies where a standard user session leads to a SYSTEM process through the ServerView Agents service.

Monitoring Recommendations

• Enable Windows command-line process auditing (event ID 4688 with command line) on all servers running the agent.
• Forward Sysmon process creation, image load, and registry events to a centralized SIEM for retrospective hunting.
• Monitor service binary integrity for ServerView Agents executables and DLLs in Program Files.
• Track logon events for non-administrative accounts on servers that host the agent, since local authentication is a prerequisite for exploitation.

How to Mitigate CVE-2026-32325

Immediate Actions Required

• Identify every Windows server running ServerView Agents V11.60.04 or earlier and prioritize them for patching.
• Restrict interactive and remote logon rights on affected servers to administrators only until patches are deployed.
• Review accounts with local logon rights and remove any that do not require server access.
• Audit recent process and account activity on affected hosts to confirm no prior exploitation occurred.

Patch Information

Fujitsu has published vendor advisories for this issue. Apply the fixed version of ServerView Agents for Windows as documented in the JVN Security Advisory and the FSA Tech Security Resource. Update all instances above V11.60.04 to the vendor-supplied fixed release.

Workarounds

• Limit local logon rights on affected servers to a small set of trusted administrators using Group Policy User Rights Assignment.
• Disable or stop the ServerView Agents service on hosts where hardware monitoring is not strictly required until the patch is applied.
• Apply application allow-listing to block unauthorized binaries from executing under the agent's service context.
• Segment management networks so that only administrative jump hosts can reach servers running the agent.

# Configuration example: enumerate hosts running ServerView Agents via PowerShell remoting
Invoke-Command -ComputerName (Get-Content servers.txt) -ScriptBlock {
    Get-CimInstance -ClassName Win32_Product |
        Where-Object { $_.Name -like 'ServerView Agents*' } |
        Select-Object PSComputerName, Name, Version
}