CVE-2026-0873 PUBLISHED

Privilege Elevation in Ercom Cryptobox administration console

Assigner: THA-PSIRT
Reserved: 13.01.2026 Published: 04.02.2026 Updated: 04.02.2026

On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Ercom
Product	Cryptobox
Versions	Default: affected Version v4.40.x is unaffected

Affected Configurations

Multiple entities must be defined with dedicated administrators

Solutions

Upgrade to version 4.40.x.

References

https://info.cryptobox.com/doc/v4.40/4.40.en/

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE
CWE-1220: Insufficient Granularity of Access Control CWE

Impacts

CAPEC-233: Privilege Escalation