CVE-2026-3315 PUBLISHED

Local Privilege Escalation Due to Writable Executable in Privileged Visionline Service Path

Assigner: NCSC-FI
Reserved: 27.02.2026 Published: 10.03.2026 Updated: 10.03.2026

Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/RE:L/U:Clear
CVSS Score: 5.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	Present	Availability	Low	Availability	Low
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	ASSA ABLOY
Product	Visionline
Versions	Default: unaffected affected from 1.0 to 1.33 (excl.)

Workarounds

Right-click on the folder C:\ProgramData\ASSA ABLOY\Visionline\webserver
Select Properties
Select the Security tab
Click Advanced
Click Disable inheritance
Select Convert inherited permissions into explicit permissions on this object
Remove Users from the list

Credits

Withsecure Exposure Management reporter

References

https://https://www.vingcard.com/en/service-and-support/product-security-center

Problem Types

CWE-276 Incorrect Default Permissions CWE
CWE-250: Execution with Unnecessary Privileges CWE
CWE-732: Incorrect Permission Assignment for Critical Resource CWE

Impacts

CAPEC-176 Configuration/Environment Manipulation