CVE-2026-5055 Overview
CVE-2026-5055 is a local privilege escalation vulnerability in NoMachine remote desktop software. The flaw resides in the NoMachine Device Server component, which loads a library from an unsecured location on disk. An attacker with the ability to execute low-privileged code on the target system can plant a malicious library that the service loads at startup or runtime. Successful exploitation grants code execution in the context of SYSTEM. The issue is tracked as [CWE-427: Uncontrolled Search Path Element] and was originally reported through the Zero Day Initiative as ZDI-CAN-28494.
Critical Impact
Local attackers can escalate from a low-privileged user account to SYSTEM, achieving full control of the affected Windows host.
Affected Products
- NoMachine for Windows (all versions prior to the vendor-supplied fix)
- NoMachine Enterprise Server installations on Windows
- NoMachine Device Server component
Discovery Timeline
- 2026-04-11 - CVE-2026-5055 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-5055
Vulnerability Analysis
The vulnerability stems from how the NoMachine Device Server resolves and loads a dependent library at runtime. The service searches a directory that does not enforce strict access controls. A low-privileged user can write a malicious DLL into that search path. When the privileged service loads the library, the attacker-controlled code executes within the service process.
Because the NoMachine Device Server runs as SYSTEM on Windows, the injected code inherits full local privileges. The attacker gains the ability to install persistence mechanisms, disable security tooling, access protected files, and create privileged accounts. The attack does not require user interaction beyond initial low-privileged shell access.
Root Cause
The root cause is an uncontrolled search path element [CWE-427]. The Device Server invokes library loading APIs without specifying a fully qualified path or applying SetDefaultDllDirectories style hardening. The loader falls back to a directory writable by standard users. This violates the principle that privileged services must only load binaries from trusted, ACL-protected locations.
Attack Vector
Exploitation requires local code execution as a standard user. The attacker drops a crafted DLL with a name matching the missing or hijackable dependency into the unsecured search location. The NoMachine Device Server then loads the malicious DLL during normal operation or on the next service start. Code in DllMain runs as SYSTEM, completing the privilege escalation.
No verified public exploit code is available at the time of writing. Technical details are documented in the Zero Day Initiative Advisory ZDI-26-249.
Detection Methods for CVE-2026-5055
Indicators of Compromise
- Unexpected DLL files written to NoMachine installation directories or adjacent paths writable by non-administrative users.
- NoMachine Device Server process (nxd.exe or related binaries) loading modules from non-standard directories.
- Child processes spawned by the NoMachine service running as SYSTEM shortly after a standard user session begins.
Detection Strategies
- Hunt for module loads by NoMachine service processes where the source path is outside %ProgramFiles%\NoMachine or other vendor-signed directories.
- Alert on file creation events for *.dll files in directories that fall within the NoMachine service search path and are writable by BUILTIN\Users.
- Correlate process creation events where a non-administrative user precedes a SYSTEM-context process originating from the NoMachine service tree.
Monitoring Recommendations
- Enable Sysmon Event IDs 7 (Image Loaded) and 11 (FileCreate) and forward to a centralized analytics platform for review.
- Audit ACLs on all directories listed in the NoMachine service search path and flag any user-writable locations.
- Track unsigned or newly created DLLs loaded by services running as LocalSystem across the fleet.
How to Mitigate CVE-2026-5055
Immediate Actions Required
- Inventory all Windows endpoints and servers running NoMachine and identify installed versions.
- Restrict file system permissions on the NoMachine installation directory and any user-writable directories in the service's DLL search path.
- Limit local interactive logon on systems hosting the NoMachine Device Server to reduce the pool of users who could plant a malicious DLL.
Patch Information
NoMachine has not published a vendor advisory URL in the referenced data. Administrators should consult the Zero Day Initiative Advisory ZDI-26-249 and the official NoMachine download portal for the latest fixed release. Apply the patched version on all affected hosts and restart the Device Server to ensure the hardened loader logic is active.
Workarounds
- Remove write permissions for non-administrative users from any directory in the NoMachine service's DLL search path.
- Stop and disable the NoMachine Device Server on systems where the remote access capability is not required until a patch is applied.
- Apply application allowlisting (such as Windows Defender Application Control or AppLocker) to block unsigned DLLs from loading into privileged service processes.
# Configuration example: audit and tighten ACLs on the NoMachine directory
icacls "C:\Program Files (x86)\NoMachine" /inheritance:r
icacls "C:\Program Files (x86)\NoMachine" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
icacls "C:\Program Files (x86)\NoMachine" /remove "Authenticated Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
