Executive Summary
CVE-2026-27788 is a high-severity local privilege escalation vulnerability in Fujitsu ServerView Agents for Windows, a server management software suite widely deployed on Fujitsu PRIMERGY servers in enterprise environments. The flaw results from incorrect permission assignment for a critical resource — a Windows-specific misconfiguration that allows a local authenticated attacker to gain SYSTEM-level privileges on the affected server.
CVSS Score: 7.8 (High)
While exploitation requires an existing local account, the ability to escalate to SYSTEM represents a critical stepping stone in post-exploitation scenarios, including ransomware deployment, lateral movement, and persistent backdoor installation. Organizations running Fujitsu server hardware with ServerView Agents should patch immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-27788 |
| CVSS Score | 7.8 (High) |
| Type | Incorrect Permission Assignment for Critical Resource (CWE-732) |
| Attack Vector | Local |
| Privileges Required | Low (authenticated local user) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Component | ServerView Agents for Windows |
| Fixed Version | V11.60.05 or later |
Affected Products
| Product | Affected Versions | Platform | Remediation |
|---|---|---|---|
| ServerView Agents for Windows | V11.60.04 and earlier | Windows Server | Upgrade to V11.60.05+ |
Technical Analysis
What Is ServerView Agents?
Fujitsu ServerView Agents is a server management software package installed on Fujitsu PRIMERGY servers to enable remote hardware monitoring, hardware status reporting, and integration with the ServerView Operations Manager (SVOM) management console. The agents run with elevated Windows service account privileges to access hardware sensors, IPMI interfaces, and system health data.
Root Cause: Incorrect Permission Assignment
The vulnerability stems from incorrect file or directory permissions applied to a critical resource used by the ServerView Agents service. In Windows environments, this typically manifests as one of:
- A service binary or configuration file writable by low-privileged users
- A directory in the service's execution path with weak ACLs (DLL hijacking opportunity)
- A named pipe, registry key, or service configuration accessible to standard users
When a Windows service runs as SYSTEM (or a highly privileged account) but its associated resources are writable by lower-privileged users, attackers can replace or inject into those resources to achieve code execution in the service's security context — effectively obtaining SYSTEM privileges.
Attack Chain
Attack Path (Typical CWE-732 Privilege Escalation):
1. Attacker obtains any valid local Windows account on the target server
2. Identifies misconfigured resource (file/directory/registry key) owned by ServerView service
3. Writes malicious payload to the misconfigured resource
(e.g., replaces a DLL, modifies a config that triggers command execution)
4. Triggers service reload or waits for scheduled task execution
5. Malicious code executes under the service's SYSTEM context
6. Attacker achieves full SYSTEM privileges on the Windows ServerWhy This Matters on Server Hardware
ServerView Agents is deployed on enterprise server hardware — PRIMERGY rack servers and blade servers typically found in:
- Data centers and server rooms
- Hospital and healthcare IT infrastructure
- Government and municipal computing environments
- Financial institution server farms
Privilege escalation on these systems can provide a persistent foothold with full hardware-level access, including the ability to:
- Disable security software running as SYSTEM services
- Access credentials cached in LSASS memory (mimikatz-style attacks)
- Install persistent kernel-level implants
- Wipe or encrypt the server (ransomware)
Impact Assessment
| Impact Area | Description |
|---|---|
| Full System Compromise | SYSTEM access grants unrestricted control over the Windows Server |
| Credential Theft | LSASS memory dump possible to harvest cached domain credentials |
| Lateral Movement | Domain admin credentials harvested can propagate attack across the network |
| Ransomware Deployment | SYSTEM access required for volume shadow copy deletion and full disk encryption |
| Hardware Monitoring Subversion | Attacker can manipulate health reporting, masking hardware tampering |
| Persistent Backdoor | Service-level persistence survives reboots with SYSTEM privileges |
Who Is at Risk
Organizations are at risk if they:
- Run Fujitsu PRIMERGY servers with ServerView Agents installed
- Have ServerView Agents version V11.60.04 or earlier
- Allow any local user account on the server (service accounts, helpdesk accounts, vendor accounts)
The risk is elevated in environments where:
- Multiple teams or vendors have local server access
- Servers are shared-use (e.g., RDS/terminal server deployments)
- Insider threat scenarios are a concern
Remediation
Step 1: Identify Affected Systems
# Check installed ServerView Agents version on Windows
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*ServerView*" } |
Select-Object DisplayName, DisplayVersion
# Alternative: Check service details
Get-WmiObject Win32_Service | Where-Object { $_.Name -like "*ServerView*" } |
Select-Object Name, PathName, StartNameStep 2: Apply the Vendor Patch
Download and install ServerView Agents V11.60.05 or later from the Fujitsu support portal. Follow the vendor's upgrade instructions to preserve existing monitoring configurations.
Step 3: Audit Resource Permissions (Interim)
# Check permissions on ServerView installation directory
icacls "C:\Program Files\Fujitsu\ServerView Suite\Agents"
# Look for entries like BUILTIN\Users:(W) or BUILTIN\Users:(M)
# These indicate writeable paths exploitable by local usersIf overly permissive ACLs are found prior to patching, restrict them:
# Remove write access for standard users (adjust path as needed)
icacls "C:\Program Files\Fujitsu\ServerView Suite\Agents" /remove:g "BUILTIN\Users" /TStep 4: Principle of Least Privilege
Audit which accounts have local access to affected servers. Remove unnecessary local accounts and restrict RDP/console access to named administrators only.
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected SYSTEM-level processes spawned by ServerView service | Possible exploitation |
| New local administrator accounts created unexpectedly | Post-exploitation persistence |
| Modified files in ServerView installation directory | Resource tampering |
| LSASS access from unexpected processes | Potential credential dumping post-escalation |
| Disabled Windows Defender / AV services | Attacker disabling security tools using SYSTEM access |
Windows Privilege Escalation Context
CWE-732 (Incorrect Permission Assignment) is one of the most common Windows privilege escalation root causes. Common patterns include:
- Unquoted service paths with spaces in directories writable by users
- Weak service binary ACLs — service executable replaceable by low-privileged users
- DLL hijacking — writable directory in service's DLL search path
- Registry key ACL issues — service configuration keys modifiable by users
Detecting these proactively:
# Identify services with weak binary permissions (third-party tool: PowerSploit)
# Or use Sysinternals AccessChk:
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *