CVE-2026-9789 PUBLISHED

NitroSense V3: Security Vulnerability Information

Assigner: Acer
Reserved: 28.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Acer
Product	NitrorSense V3
Versions	Default: unaffected affected from 3.01.3001 to 3.01.3052 (incl.)

Solutions

This issue is resolved in NitroSense versions V3.01.3056.

Credits

Vo Duc Thang reporter

References

https://community.acer.com/en/kb/articles/19670

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-269: Improper Privilege Management CWE
CWE-284: Improper Access Control CWE
CWE-732: Incorrect Permission Assignment for Critical Resource CWE

Impacts

CAPEC-69 Target Programs with Elevated Privileges