HIGH 7.8

CVE-2026-32325: ServerView Agents Privilege Escalation (CVSS 7.8)

ServerView Agents for Windows contains a privilege escalation flaw that allows an already-authenticated local user to gain SYSTEM-level access. This is not a remote attack—the attacker must have legitimate credentials and local login capability on the affected server. However, once inside, they can elevate to the highest privilege level, potentially taking full control of the system.

Source data · NVD / CISA · public domain

CVSS
3.0 · 7.8 HIGH · CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-268
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-32325 is a privilege chaining vulnerability affecting ServerView Agents for Windows through version 11.60.04. The flaw stems from improper privilege management (CWE-268) that permits a local authenticated user to chain together multiple operations or exploit a trust relationship to bypass privilege separation controls. The attack requires no user interaction and operates in a single security context. With a CVSS 3.0 score of 7.8 (HIGH), the vulnerability has high impact across confidentiality, integrity, and availability.

Business impact

This vulnerability poses a significant insider risk and privilege escalation threat in environments relying on ServerView Agents for remote server management. An employee, contractor, or adversary with valid credentials can convert standard user access into unrestricted SYSTEM privilege, enabling them to install backdoors, modify audit logs, exfiltrate sensitive data, or disable security controls. Organizations managing fleets of Windows servers through ServerView should treat this as a priority remediation target, as lateral movement and persistent compromise become possible post-exploitation.

Affected systems

ServerView Agents for Windows versions 11.60.04 and earlier are affected. Organizations should verify their current deployment versions across all managed servers. The vulnerability requires the attacker to have local login access, meaning it is most relevant in scenarios where remote access solutions, shared hosting, or multi-user administrative systems are in use.

Exploitability

Exploitability is moderate to high within the threat model it represents. An attacker cannot exploit this remotely—they must already possess valid user credentials and local or terminal access to the server. However, the attack requires no special conditions (low complexity), no user interaction, and operates within the user's existing session. In environments with permissive access controls, shared service accounts, or high-privileged user populations, an attacker or insider could readily abuse this path to SYSTEM privilege.

Remediation

Upgrade ServerView Agents for Windows to a version after 11.60.04. Verify against the vendor advisory for specific patched versions available for your deployment. As an interim control, restrict local login privileges to only users who require administrative access, enforce strong authentication on all administrative accounts, and monitor process creation and privilege escalation events on systems running ServerView Agents.

Patch guidance

Contact Fujitsu or consult the ServerView product advisory to identify patched versions available for your current release track. Apply patches in a controlled manner—first to test or non-critical systems, then across production infrastructure. Verify that post-patch systems function correctly before broadly deploying updates. If patched versions are not yet available for your specific release, prioritize compensating controls such as access restriction and enhanced monitoring.

Detection guidance

Monitor Windows Event Viewer and security logging for unexpected privilege escalation events, particularly processes spawned by ServerView Agents requesting or obtaining SYSTEM privilege. Look for lateral movement patterns following successful escalation. Enable Windows Audit Policy to track creation and modification of processes and verify parent-child relationships. Search logs for any instances of ServerView components executing with elevated privilege without corresponding administrative request or approval.

Why prioritize this

Despite not yet appearing on CISA's KEV catalog, this vulnerability merits immediate attention due to its LOCAL scope and high impact. Any environment where ServerView Agents are deployed in multi-user or shared-access scenarios should prioritize patching. The ability to escalate from authenticated user to SYSTEM with low complexity makes this a high-value target for insiders and lateral movement by sophisticated attackers. The absence of KEV status does not diminish the risk—KEV listing typically reflects active exploitation in the wild, while this advisory is relatively recent.

Risk score, explained

The CVSS 3.0 score of 7.8 (HIGH) reflects high impact on confidentiality, integrity, and availability, combined with local attack vector and low complexity. The score is justified because: (1) impact is maximum across all three CIA categories once exploitation succeeds; (2) the attack requires only user-level privileges to initiate, lowering the barrier; (3) no user interaction or special conditions are needed; and (4) the compromise is system-wide, affecting all data and processes on the target server. The score appropriately captures the severity within its local attack scope.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attacker must have valid user credentials and local or terminal access to the affected server. Remote access solutions (RDP, SSH, etc.) could provide that entry point, but the escalation itself is a local operation after authentication.

What if we don't use ServerView Agents?

This vulnerability does not affect you. ServerView Agents is a specific Fujitsu product for Windows server management. Verify your inventory to confirm whether your organization has deployed it.

Is there a workaround if we cannot patch immediately?

There is no official workaround that eliminates the vulnerability. Interim mitigations include restricting local login permissions to only necessary administrators, enforcing multi-factor authentication on all administrative accounts, disabling ServerView features that are not actively needed, and implementing enhanced logging and alerting for privilege escalation events.

Why isn't this on CISA's KEV list yet?

CISA's Known Exploited Vulnerabilities catalog tracks threats with confirmed active exploitation in the wild. This vulnerability may not yet meet that threshold, or exploitation may not have been reported to CISA. Recent vulnerabilities often appear on KEV within weeks of public disclosure if evidence of active abuse emerges. Organizations should not wait for KEV listing—proactive patching based on CVSS and business exposure is a stronger security posture.

This analysis is based on official CVE records and vendor advisories as of the publication date. CVSS scores, affected versions, and patch availability are subject to change. Organizations should verify patch status and version details directly with Fujitsu and their internal asset inventory. This document does not constitute legal or compliance advice. Security leaders should integrate findings into risk management and patching programs according to organizational policies and regulatory requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).