Cyber Posture

CVE-2026-26722

CriticalPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0022 44.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Employs least privilege to ensure users and processes have only necessary access rights, directly mitigating privilege escalation via the PIN login component.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, preventing improper privilege elevation in the login functionality.

AC-2 Account Management partial match
prevent

Manages accounts including privilege assignments, reducing risk of improper privilege management exploited in the PIN component.

Security SummaryAI

CVE-2026-26722 is a privilege escalation vulnerability affecting Key Systems Inc Global Facilities Management Software version 20230721a. The issue lies in the PIN component of the login functionality, where an attacker can exploit improper privilege management (CWE-269) to elevate their access rights. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.

A remote attacker requires no prior privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables privilege escalation, granting high-impact disruption to system integrity and availability while allowing low-impact access to confidential data, potentially compromising the facility management system's controls.

Details on the vulnerability, including disclosure information, are available in the GitHub repository at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26722. No specific patch or mitigation guidance is provided in the CVE description.

Details

CWE(s)
CWE-269

Affected Products

keystorage
global facilities management software
20230721a

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote privilege escalation via exploitation of login PIN component in network-accessible facilities management software directly enables T1068 and facilitates initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References