HIGH 7.8

CVE-2026-8637: LanSchool Classic Uncontrolled Search Path Privilege Escalation (CVSS 7.8)

LanSchool Classic contains a vulnerability where the application searches for files or libraries in locations that an authenticated local user can manipulate. An attacker with local access could place malicious files in predictable locations and trick the application into loading them with elevated privileges, leading to complete system compromise. This is a local-only issue requiring prior system access, but the damage potential is severe.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-427
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8637 is an uncontrolled search path vulnerability (CWE-427) in LanSchool Classic's client. The application fails to properly validate the source of executable components or libraries it loads during runtime. A local authenticated user can exploit a predictable or uncontrolled search path—such as the current working directory, a shared temp folder, or an unprotected system path—to inject a malicious DLL or binary. When LanSchool executes with elevated privileges (common for educational management software), the injected code runs with those same privileges, enabling arbitrary code execution. The CVSS 3.1 score of 7.8 (High severity) reflects local access requirement, low attack complexity, and high impact across confidentiality, integrity, and availability.

Business impact

Educational institutions deploying LanSchool Classic across student and staff machines face a significant insider threat. Any local user on an affected system can escalate to administrative or system-level control without user interaction, potentially leading to data theft (student records, gradebooks, intellectual property), system takeover, malware installation, or lateral movement to network resources. The classroom management focus of LanSchool means it often runs on systems with sensitive educational data, amplifying breach impact. Remediation delays increase risk of privilege escalation chains and supply chain attacks if compromised systems are used for further network penetration.

Affected systems

LanSchool Classic client installations are affected. Specific affected versions are not detailed in the available advisory; vendors_products data is empty in the source record. Administrators must consult Lenovo (the current maintainer of LanSchool) or vendor security advisories for definitive version and platform scope (Windows, macOS, or both). Affected systems are those where LanSchool Classic is installed and where non-administrator users can write to the application's search paths or working directories.

Exploitability

Exploitability is moderate. The attack requires local authenticated access—an attacker must already have a user account and logon capability on the target machine. However, once local access is achieved, exploitation is straightforward: place a malicious library or executable in a path that LanSchool searches before secure system directories, then trigger the application or wait for its normal execution. No KEV (Known Exploited Vulnerability) status has been assigned, suggesting active exploitation in the wild has not yet been widely documented, though that does not eliminate risk. User interaction is not required; the vulnerability triggers automatically during application operation.

Remediation

Patch LanSchool Classic immediately to a version that validates search paths and prioritizes system directories over user-writable locations. Until patching is possible, restrict local access to affected systems, disable unnecessary user accounts, and enforce strong file system permissions on application directories to prevent non-administrators from writing to locations in the application's search path. Consider isolating LanSchool systems on a dedicated educational network segment to limit lateral movement if compromise occurs. Verify patch availability and version guidance directly from Lenovo or the vendor's security advisory.

Patch guidance

Contact Lenovo or your LanSchool vendor for the latest security advisory to identify patched versions and release timelines. Apply patches to all LanSchool Classic client installations in priority order (start with systems managing sensitive data or high-value assets). Before deployment, test patches in a lab environment mirroring your classroom configurations to ensure no disruption to educational workflows. Patch deployment should include documentation of which machines have been updated to support verification and compliance auditing.

Detection guidance

Monitor for suspicious file creation or modification in LanSchool application directories and search paths, particularly in temp folders, user profile directories, and application home directories. Detect unusual privilege escalation events following LanSchool process execution. Use file integrity monitoring (FIM) on LanSchool binaries and library directories to alert on unauthorized changes. Endpoint Detection and Response (EDR) solutions should flag process execution chains where LanSchool spawns child processes with elevated privileges or system access. Review Windows Event Viewer for failed library load events (event IDs 7000-7999) that might indicate tampering with DLL search order. Correlate account logon events with file write activity in protected directories to identify anomalous access patterns.

Why prioritize this

Prioritize this vulnerability for immediate patching due to its HIGH severity score (7.8), high impact across confidentiality, integrity, and availability, and the critical nature of LanSchool systems in educational environments. While active exploitation is not yet documented (KEV status is false), the ease of exploitation once local access is obtained, combined with the sensitive data typically present on managed classroom systems, makes this a material risk. Educational institutions are frequently targets for data theft and ransomware, amplifying the consequence of local privilege escalation. Delay increases the window for attack before patches are deployed.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: Attack Vector (Local) - requires prior access to the system; Attack Complexity (Low) - exploitation does not require special or unlikely conditions; Privileges Required (Low) - an authenticated user can trigger the vulnerability; User Interaction (None) - no action by an administrator is needed; Scope (Unchanged) - impact is limited to the affected system; and high impact on Confidentiality, Integrity, and Availability - a successful exploit grants full control. The 'High' severity label appropriately captures the severity for systems where LanSchool manages sensitive educational data, though the local-only attack vector prevents a 'Critical' rating.

Frequently asked questions

Does this vulnerability require administrator privileges to exploit?

No. The vulnerability requires only local authenticated access—a standard user account on the system can exploit it by placing a malicious file in a location that LanSchool searches. The privilege escalation happens when LanSchool itself, often running with elevated privileges, loads the attacker's malicious file.

Is this vulnerability currently being exploited in the wild?

This vulnerability has not been assigned KEV (Known Exploited Vulnerability) status, indicating that active exploitation has not yet been confirmed in public reports or vulnerability databases. However, absence of documented exploitation does not guarantee safety; threat actors may exploit it silently before public disclosure.

What should I do if I cannot patch immediately?

Restrict local access to affected systems by disabling unnecessary user accounts, enforce strong file permissions on LanSchool directories to prevent non-administrators from writing to them, and isolate LanSchool systems on a trusted network segment. Monitor for suspicious activity using EDR or file integrity monitoring. These controls reduce risk but do not eliminate it; patching should remain the primary goal.

Does this vulnerability affect remote users or Zoom/remote learning scenarios?

This is a local vulnerability only—it requires physical or direct logical access to the machine running LanSchool Classic. Remote learning deployments where students access LanSchool from home are at risk only if their home device's LanSchool installation is vulnerable. LanSchool's remote management features are separate from this client-side flaw.

This analysis is provided for informational purposes and reflects publicly available information as of the publication and modification dates listed. No exploit code, proof-of-concept, or weaponized attack vectors are included. Specific patch versions, affected product lists, and vendor timelines should be verified directly with Lenovo or the official LanSchool vendor security advisory. Organizations should conduct their own risk assessment and testing in controlled environments before deploying patches. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance; security teams must validate all recommendations against their specific infrastructure and compliance requirements. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).