CVE-2026-12602 | Incorrect default permissions in ArubaSign, affecting versio… | CVSS 8.8 HIGH

Description

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.

Metadata

CVE ID: CVE-2026-12602
State: PUBLISHED
Assigner: INCIBE
Reserved: 2026-06-18 11:18 UTC
Published: 2026-06-22 12:34 UTC
Last updated: 2026-06-22 15:52 UTC
Primary CWE: CWE-276
CWE-276 Incorrect default permissions
Vendor / Product: Aruba / ArubaSign
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Aruba	ArubaSign	—	0 < 4.6.6

Weakness (CWE)

CWE	Source	Description
CWE-276	cna	CWE-276 Incorrect default permissions

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References (1)

https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-permissions-arubasign-aruba