CVE-2026-4822 Overview
A vulnerability has been identified in Enter Software Iperius Backup versions up to and including 8.7.3. The vulnerability affects the Backup Service component, specifically within the file handling operations in C:\ProgramData\IperiusBackup\Jobs\. This flaw enables the creation of temporary files with insecure permissions, potentially allowing local attackers to access or manipulate sensitive backup job data.
Critical Impact
Local attackers with low privileges can exploit insecure temporary file permissions in Iperius Backup to potentially access, modify, or disclose sensitive backup configuration and job data, leading to compromise of backup integrity or information disclosure.
Affected Products
- Enter Software Iperius Backup versions up to 8.7.3
- Iperius Backup Service component
- Windows systems with C:\ProgramData\IperiusBackup\Jobs\ directory
Discovery Timeline
- 2026-03-25 - CVE-2026-4822 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-4822
Vulnerability Analysis
This vulnerability is classified under CWE-377 (Insecure Temporary File), which occurs when an application creates temporary files in a manner that allows unauthorized access or manipulation. In the case of Iperius Backup, the Backup Service creates temporary files within the C:\ProgramData\IperiusBackup\Jobs\ directory with overly permissive access controls.
The exploitation of this vulnerability requires local access to the system and is considered difficult due to the high degree of complexity involved. An attacker would need to understand the specific timing and conditions under which these temporary files are created and persist on the filesystem.
Root Cause
The root cause of this vulnerability lies in improper permission settings applied to temporary files created by the Iperius Backup Service during backup job operations. When the service generates these files, it fails to properly restrict access permissions, allowing other local users on the system to potentially read or write to these files. This violates the principle of least privilege and creates an opportunity for local privilege escalation or information disclosure.
Attack Vector
The attack requires local access to the affected system. An attacker with low-level user privileges on a Windows system running a vulnerable version of Iperius Backup could monitor the C:\ProgramData\IperiusBackup\Jobs\ directory for temporary file creation. Due to the insecure permissions, the attacker may be able to:
- Read sensitive backup job configuration data
- Modify temporary files to alter backup behavior
- Leverage the insecure file handling to escalate privileges
The attack complexity is high, requiring precise timing and knowledge of the application's file handling behavior. The exploit for this vulnerability has been made public, increasing the risk of exploitation in the wild.
For detailed technical analysis of this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-4822
Indicators of Compromise
- Unusual file access patterns in C:\ProgramData\IperiusBackup\Jobs\ directory by non-service accounts
- Modification timestamps on temporary files that don't align with scheduled backup operations
- Unexpected processes reading or writing to the Iperius Backup jobs directory
- Security event logs showing access denied errors followed by successful access to temporary files
Detection Strategies
- Monitor file system activity in C:\ProgramData\IperiusBackup\Jobs\ for access by non-privileged users
- Implement Windows Security Auditing on the affected directory to capture file access events
- Use SentinelOne's Behavioral AI to detect anomalous file access patterns in backup service directories
- Deploy endpoint detection rules to alert on temporary file manipulation by unauthorized processes
Monitoring Recommendations
- Enable Windows Object Access auditing for the C:\ProgramData\IperiusBackup\Jobs\ directory
- Configure SentinelOne to alert on file permission changes in application data directories
- Monitor process creation events for non-standard executables accessing Iperius Backup files
- Regularly audit file permissions on the affected directory to ensure proper access controls
How to Mitigate CVE-2026-4822
Immediate Actions Required
- Upgrade Iperius Backup to version 8.7.4 or later immediately
- Audit current file permissions on C:\ProgramData\IperiusBackup\Jobs\ directory
- Review system logs for potential past exploitation attempts
- Restrict local user access to systems running Iperius Backup where possible
Patch Information
Enter Software has released version 8.7.4 of Iperius Backup to address this vulnerability. The vendor responded professionally and released the fixed version promptly after responsible disclosure. Users should upgrade to version 8.7.4 or later to remediate this vulnerability. The updated software can be obtained from the Iperius Backup Software Download page.
Workarounds
- Manually restrict NTFS permissions on C:\ProgramData\IperiusBackup\Jobs\ to only allow access by the SYSTEM account and Administrators
- Limit local user accounts on systems running Iperius Backup to reduce attack surface
- Monitor the affected directory for unauthorized access until the patch can be applied
- Consider running Iperius Backup on isolated systems with minimal user access
# Windows PowerShell - Restrict permissions on affected directory
# Run as Administrator
icacls "C:\ProgramData\IperiusBackup\Jobs" /inheritance:r
icacls "C:\ProgramData\IperiusBackup\Jobs" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\ProgramData\IperiusBackup\Jobs" /grant:r "Administrators:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
