CVE-2026-0539 · Local Privilege Escalation in pcvisit service client

01 · The Real Story

This is a master key taped behind the locked door rather than a door left open to the street

pcvisit_service_client.exe in the Windows RemoteHost install can inherit unsafe write permissions, letting a low-privileged local user replace the service binary that later starts as NT AUTHORITY\SYSTEM. Public reporting pegs the affected range at 22.6.22.1329 through 25.12.3.1744 per InfoGuard, while the NVD text says versions after 22.6.22.1329; either way, the fixed version is 25.12.3.1745 released on 2025-12-08.

The vendor/CNA HIGH 8.5 score is fair in a lab because the exploit is simple and the outcome is full local compromise. In enterprise reality it runs hot: this is local-only, requires an attacker who already has code execution or a user session on the box, only matters on Windows systems with pcvisit RemoteHost installed, and often needs a service restart or reboot before the payload fires.

"Easy SYSTEM once an attacker is already local, but this is still a post-compromise Windows privesc, not an edge fire."

02 · The Attack Path

5 steps from start to impact.

STEP 01

Land on a Windows host that runs pcvisit RemoteHost

The attacker first needs a normal user foothold on a Windows system where pcvisit RemoteHost is installed. This is not initial access; the CVE only matters after phishing, credential theft, RMM abuse, or some other local-code-execution path has already succeeded.

Conditions required:

Windows host
pcvisit RemoteHost installed
attacker has local interactive access or arbitrary code execution as a low-privileged user

Where this breaks in practice:

This prerequisite already implies prior compromise or legitimate user access
Only the subset of endpoints running pcvisit RemoteHost are in scope
Many enterprises restrict local logon on servers and support appliances

Detection/coverage: Asset inventory and EDR should already show pcvisit_service_client.exe or the pcvisit RemoteHost install path; generic vuln scanners may miss the ACL condition.

STEP 02

Enumerate the weak service-binary ACL with built-in Windows tooling

Using built-in tools such as icacls.exe or PowerShell Get-Acl, the attacker checks whether Everyone or another broad principal can write to pcvisit_service_client.exe. InfoGuard documented the vulnerable path under C:\Program Files (x86)\pcvisit Software AG\pcvisit RemoteHost\release\[Version]\pcvisit_service_client.exe.

Conditions required:

Ability to read file ACLs
Vulnerable file permissions still present

Where this breaks in practice:

Some fleets may already have corrected ACLs manually even before version uplift
Application control and file integrity monitoring can make enumeration noisy

Detection/coverage: Look for icacls or PowerShell ACL queries against the pcvisit install tree; detection is EDR-dependent, not a standard network scanner strength.

STEP 03

Replace the service executable with a malicious binary

Per the published PoC, the running binary may not be directly overwritten, but it can be renamed and replaced with a trojanized service executable. InfoGuard's demonstration payload used system("net user ... /add") and system("net localgroup Administrators ... /add") to create a local admin once the service ran as SYSTEM.

Conditions required:

Write or modify rights on the binary
Ability to stage a replacement executable

Where this breaks in practice:

Unsigned replacement binaries may be blocked by Defender, WDAC, AppLocker, or EDR
Tamper protection, AV, or FIM can catch the rename-and-replace sequence
Attackers need disk write access in a monitored program directory

Detection/coverage: High-value behavioral signal: rename or write events targeting pcvisit_service_client.exe, especially followed by creation of a new PE file in the same directory.

STEP 04

Wait for service restart or reboot to get SYSTEM

The payload executes when the service next starts, typically on reboot, or sooner if the attacker can induce or trigger a service restart. The result is local privilege escalation to NT AUTHORITY\SYSTEM, which is enough to disable defenses, dump creds, or establish persistence.

Conditions required:

Service restart, system reboot, or other restart event

Where this breaks in practice:

Without service control rights, execution may be delayed until the next reboot
Well-managed servers may have infrequent reboots but also tighter monitoring around service changes

Detection/coverage: Correlate file modification of the service binary with subsequent service start events and privileged process creation from the pcvisit path.

STEP 05

Use SYSTEM to persist or move laterally

Once SYSTEM is obtained, the attacker can add administrators, dump LSASS-protected material if defenses permit, or install a persistent backdoor. On support workstations, jump hosts, or shared admin boxes, that can become a useful lateral-movement amplifier even though the CVE itself is only local.

Conditions required:

Successful SYSTEM execution
Post-exploitation objective such as persistence or credential access

Where this breaks in practice:

Credential Guard, LSASS protections, EDR containment, and admin-tiering can limit what happens next
Impact is still bounded to the compromised host unless chained with credential theft or remote admin access

Detection/coverage: Standard post-exploitation detections apply: new local admins, service tampering, suspicious child processes, credential access attempts, and persistence from the pcvisit service context.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public active exploitation evidence found in the sources reviewed, and CISA KEV does not list this CVE.
Public exploit evidence	Yes, but limited: InfoGuard published a step-by-step PoC workflow and example payload logic; I did not find a public Metasploit module or mainstream GitHub exploit repo during this review.
EPSS	0.00014 from the user-supplied intel. That is extremely low in absolute probability terms; the exact FIRST percentile was not independently verified during this review.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS meaning	`AV:L/AC:L/AT:N/PR:L/UI:N/...` means local attack only, low complexity, low privileges required, no user interaction, with high confidentiality/integrity/availability impact on the local host once exploited.
Affected versions	InfoGuard states 22.6.22.1329 up to but not including 25.12.3.1745. The NVD text says versions after 22.6.22.1329; treat 22.6.22.1329 through 25.12.3.1744 as the safe operational exposure range until the vendor clarifies the boundary.
Fixed version	25.12.3.1745 released 2025-12-08. pcvisit says the fix was automatically rolled out to customers.
Exposure reality	External internet scanning data is mostly irrelevant here: this is a local Windows file-permission bug, not a remotely reachable network service flaw. Shodan/Censys/GreyNoise-style exposure counts do not map cleanly to exploitability for this CVE.
Disclosure timeline	Researcher contact began 2025-11-25; vendor confirmed on 2025-11-27; patch shipped 2025-12-08; public advisory published 2026-04-22 with the timeline listing public disclosure on 2026-04-23.
Researcher / product footprint	Reported by Marcel Schmid and Janik Wehrli of InfoGuard. pcvisit describes the product as used by more than 15,000 users and specifically positioned for unattended remote access, which means affected hosts may be operationally sensitive even if population is limited.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.3/10)

The decisive downward pressure is attacker position: this bug is only useful after the attacker already has a low-privileged local foothold on a Windows host that runs pcvisit RemoteHost. That makes it a strong post-compromise amplifier, not a broad initial-access event, and there is no public evidence of mass or active exploitation pushing it higher.

HIGH Exploit mechanics and affected fixed version

MEDIUM Real-world prevalence inside typical enterprise fleets

Why this verdict

Start at 8.5, then cut for post-compromise-only: AV:L + PR:L means the attacker already has code execution or a user session on the host. That prerequisite is an entire earlier compromise stage, so the vendor score overstates urgent fleetwide exposure.
Cut again for exposed population: this only affects Windows systems running pcvisit RemoteHost, not every Windows endpoint. In most enterprises that is a comparatively narrow, administratively managed subset.
Trim for execution friction: the attacker still needs the weak ACL to remain in place and usually needs a service restart or reboot before the malicious binary runs as SYSTEM. That is real but not zero friction, especially on monitored hosts.

Why not higher?

There is no unauthenticated or remote entry point here, no userless internet exploit path, no KEV listing, and no public reports of active exploitation campaigns. A vulnerability that starts only after the attacker is already local should not be scored like an edge-service compromise.

Why not lower?

Once the attacker is on the box, the exploit path is straightforward and the outcome is SYSTEM, which is full local compromise. Because pcvisit is remote-support software that may live on admin workstations, unattended support endpoints, or shared servers, the post-exploitation value of a successful privesc is still meaningful.

05 · Compensating Control

What to do — in priority order.

Fix the ACL now on vulnerable binaries — Remove broad Write/Modify rights from pcvisit_service_client.exe and its parent release directory so only trusted administrative principals can change the service binary. For a MEDIUM noisgate verdict there is no mitigation SLA — go straight to the 365-day remediation window, but apply this hardening sooner on shared support workstations, jump hosts, and terminal servers where multiple users can log on.
Restrict local logon on RemoteHost systems — Treat Windows systems running unattended remote-support agents as semi-privileged assets and reduce who can log on interactively or via RDP. This does not remove the bug, but it directly attacks the main prerequisite: low-privileged local access.
Alert on service-binary tampering — Add file integrity and EDR detections for rename, delete, or write activity involving pcvisit_service_client.exe and for suspicious service-start child processes from the pcvisit install path. This is the best compensating visibility because exploit abuse has to touch disk in a sensitive program directory.
Enforce application control — Use WDAC, AppLocker, or equivalent publisher/path rules to block arbitrary unsigned binaries from replacing or executing as the pcvisit service. This materially raises friction against the published PoC and is worth prioritizing anywhere support tooling runs with elevated trust.

What doesn't work

Perimeter controls or WAF rules do not help because the bug is not a network-reachable request path.
MFA on pcvisit operator accounts is good hygiene but does not stop a local user from overwriting a weakly protected Windows service binary.
External attack-surface management alone will miss this because the dangerous condition is a local filesystem permission problem, not an exposed TCP service.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management tool with local administrator rights so it can read ACLs and file metadata under Program Files. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-cve-2026-0539.ps1. Systems without pcvisit RemoteHost installed return UNKNOWN.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-cve-2026-0539.ps1

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-VersionObject {
    param([string]$VersionString)
    try {
        return [version]$VersionString
    } catch {
        return $null
    }
}

function Test-WeakAcl {
    param([string]$Path)

    $weakRights = @('Modify','Write','FullControl')
    $broadPrincipals = @('Everyone','BUILTIN\\Users','Users','Authenticated Users','NT AUTHORITY\\Authenticated Users')

    try {
        $acl = Get-Acl -LiteralPath $Path
    } catch {
        return $null
    }

    foreach ($ace in $acl.Access) {
        $id = [string]$ace.IdentityReference
        if ($broadPrincipals -contains $id) {
            $rights = [string]$ace.FileSystemRights
            foreach ($r in $weakRights) {
                if ($rights -match $r -and $ace.AccessControlType -eq 'Allow') {
                    return $true
                }
            }
        }
    }

    return $false
}

$searchRoots = @(
    "$env:ProgramFiles(x86)\\pcvisit Software AG",
    "$env:ProgramFiles\\pcvisit Software AG"
) | Where-Object { $_ -and (Test-Path $_) }

$targets = @()
foreach ($root in $searchRoots) {
    try {
        $targets += Get-ChildItem -LiteralPath $root -Recurse -Filter 'pcvisit_service_client.exe' -File -ErrorAction SilentlyContinue
    } catch {
        # ignore and continue

    }
}

if (-not $targets -or $targets.Count -eq 0) {
    Write-Output 'UNKNOWN - pcvisit_service_client.exe not found'
    exit 2
}

$minVuln = Get-VersionObject '22.6.22.1329'
$fixedVer = Get-VersionObject '25.12.3.1745'
$foundUnknown = $false

foreach ($file in $targets) {
    $versionString = $null
    try {
        $versionString = $file.VersionInfo.ProductVersion
        if (-not $versionString) { $versionString = $file.VersionInfo.FileVersion }
    } catch {
        $versionString = $null
    }

    $ver = Get-VersionObject $versionString
    if (-not $ver) {
        $foundUnknown = $true
        Write-Output ("UNKNOWN - could not parse version for {0}" -f $file.FullName)
        continue
    }

    $weakAcl = Test-WeakAcl -Path $file.FullName
    if ($null -eq $weakAcl) {
        $foundUnknown = $true
        Write-Output ("UNKNOWN - could not read ACL for {0} (version {1})" -f $file.FullName, $ver)
        continue
    }

    $inRange = ($ver -ge $minVuln -and $ver -lt $fixedVer)

    if ($inRange -and $weakAcl) {
        Write-Output ("VULNERABLE - {0} version {1} has broad write/modify ACLs" -f $file.FullName, $ver)
        exit 1
    }

    if ($ver -ge $fixedVer) {
        Write-Output ("PATCHED - {0} version {1} is at or above fixed version" -f $file.FullName, $ver)
    } elseif ($inRange -and -not $weakAcl) {
        Write-Output ("PATCHED - {0} version {1} is in advisory range but ACLs do not appear broadly writable" -f $file.FullName, $ver)
    } else {
        Write-Output ("UNKNOWN - {0} version {1} is outside expected advisory range" -f $file.FullName, $ver)
        $foundUnknown = $true
    }
}

if ($foundUnknown) {
    exit 2
}

exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify the Windows systems that actually run pcvisit RemoteHost, then validate two things: version and ACL state on pcvisit_service_client.exe. For this MEDIUM rating, the noisgate mitigation SLA says no mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is patch within 365 days. In practice, do not treat it like an edge emergency, but do pull forward shared support workstations, jump boxes, and multi-user servers into the next routine Windows change window because those are the hosts where a low-privileged local privesc to SYSTEM has the most operational value for attackers.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.