CVE-2026-12602

Incorrect permissions in ArubaSign by Aruba

Assigner: INCIBE
Reserved: 18.06.2026 Published: 22.06.2026 Updated: 22.06.2026

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Aruba
Product	ArubaSign
Versions	Default: unaffected affected from 0 to 4.6.6 (excl.)

Vendor

Aruba

Product

ArubaSign

Versions

Default: unaffected

affected from 0 to 4.6.6 (excl.)

Solutions

No solution has been reported as yet.

Credits

Andrea Intilangelo (acme) finder

References

Problem Types

CWE-276 Incorrect default permissions CWE