CVE-2026-11459 SecureAge CatchPulse Information Disclosure Vulnerability
SecureAge CatchPulse versions up to 10.9.3 contain a vulnerability in the saappctl.sys driver that can leak sensitive information to authenticated local users. An attacker with a valid local account on the affected system can trigger the IOCTL handler to access data they shouldn't normally see. The vulnerability has been publicly disclosed and active exploitation is possible, though it requires legitimate access to the target machine.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200, CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. Impacted is an unknown function in the library saappctl.sys of the component IOCTL Handler. The manipulation leads to information disclosure. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11459 is an information disclosure vulnerability affecting SecureAge CatchPulse through version 10.9.3. The flaw resides in an undocumented function within the saappctl.sys kernel driver's IOCTL handler. The vulnerability stems from insufficient access controls (CWE-284) and improper information handling (CWE-200), allowing a local authenticated user to read sensitive data without proper authorization. The attack surface is limited to local interactions; remote exploitation is not possible.
Business impact
While the CVSS score of 3.3 reflects low severity, this vulnerability poses a targeted risk to organizations relying on CatchPulse for security operations. Information disclosure at the kernel driver level could expose configuration details, credentials, or monitoring data to insider threats or compromised local accounts. The public disclosure and proof-of-concept availability increase the likelihood of weaponization, particularly in multi-tenant or shared computing environments where privilege escalation chains may follow.
Affected systems
SecureAge CatchPulse versions up to and including 10.9.3 are confirmed vulnerable. No vendor or product-specific mitigation data was provided in the source record, so affected organizations should consult SecureAge's official advisory for a complete list of impacted product variants and verify their installed versions immediately.
Exploitability
The vulnerability requires local access and valid user credentials, making opportunistic remote exploitation impossible. However, the public disclosure and existence of proof-of-concept code significantly lower the barrier to exploitation for attackers with local system access. The IOCTL handler's permissive behavior suggests this could be chained with other local privilege escalation vectors to amplify impact.
Remediation
Upgrade SecureAge CatchPulse to a patched version released after 10.9.3. Organizations unable to patch immediately should implement strict local access controls, disable or restrict IOCTL operations where possible, and monitor for suspicious kernel driver interactions. Verify against the vendor advisory for exact patch version numbers and compatibility details before deploying updates.
Patch guidance
Contact SecureAge for availability of patched CatchPulse versions newer than 10.9.3. Verify patch applicability to your specific deployment configuration and test in a non-production environment first. Given the kernel driver involvement, ensure system stability and rollback procedures are documented before applying updates to production systems.
Detection guidance
Monitor for unusual IOCTL requests to saappctl.sys from processes running under local user accounts. Kernel driver instrumentation or driver behavior analysis tools may reveal attempts to query sensitive information through the vulnerable handler. Review system logs for unexpected driver interactions and correlate with user account activity to identify suspicious patterns.
Why prioritize this
Despite the low CVSS score, prioritize patching based on environmental context: assess whether local user accounts have adequate access controls, whether your deployment is exposed to insider threats, and whether this system is part of a security-critical workflow. The public exploit availability and kernel-level nature of the issue make it a candidate for near-term remediation, particularly if the system has internet-facing components or untrusted user access.
Risk score, explained
The CVSS 3.1 score of 3.3 (LOW) reflects the requirement for local authenticated access and the confidentiality-only impact. However, this does not account for the public availability of working exploits or the potential for chaining with local privilege escalation techniques. Organizations should weight contextual risk factors—such as shared system usage, presence of higher-privilege accounts, and data sensitivity—when determining actual remediation priority.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local access and valid user credentials on the target system. Remote attackers cannot directly trigger this flaw. However, a prior compromise or remote code execution could enable local exploitation as a secondary attack.
What happens if someone exploits this?
The attacker gains unauthorized read access to sensitive data accessible through the IOCTL handler in the saappctl.sys driver. The nature of the leaked data depends on what the handler exposes—this could include configuration, monitoring state, or other privileged information. No system modification or denial of service occurs as a result of this vulnerability.
Is there a workaround if we cannot patch immediately?
Partial mitigation can be achieved by restricting local account access, disabling unnecessary services, and implementing application-level access controls. However, these are not substitutes for patching. Consult SecureAge for interim guidance pending availability of a patched version.
Why is this in the KEV catalog status important here?
This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, though public proof-of-concept code exists. The absence from KEV does not indicate low risk; rather, it reflects that widespread exploitation has not yet been documented by federal sources. Remain vigilant, as KEV status can change.
This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date. CVSS scores and severity ratings are standardized but may not capture all contextual risk factors in your environment. Verify all patch version numbers and remediation steps directly with SecureAge's official security advisories before taking action. SEC.co does not guarantee the accuracy or completeness of vendor response information; always consult primary sources for the most current guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11464LOWJeecgBoot User List Information Disclosure via Salt Parameter
- CVE-2026-11458MEDIUMJeeWMS Boot Actuator Information Disclosure Vulnerability
- CVE-2026-10011LOWChrome Skia Cross-Origin Data Leak
- CVE-2026-45154LOWNextcloud Collective Pages Trashbin Access Control Bypass
- CVE-2026-45266LOWNextcloud Unauthorized Call Microphone Mute Vulnerability
- CVE-2026-45277LOWNextcloud Approval Information Disclosure Vulnerability
- CVE-2026-45683LOWOpenTelemetry eBPF Instrumentation Kernel Memory Disclosure
- CVE-2026-45739LOWStrawberry GraphQL Credential Exposure in GraphiQL Headers