{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3315", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "state": "PUBLISHED", "assignerShortName": "NCSC-FI", "dateReserved": "2026-02-27T06:40:06.038Z", "datePublished": "2026-03-10T09:35:42.236Z", "dateUpdated": "2026-03-11T05:13:30.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-03-11T05:13:30.886Z"}, "title": "Local Privilege Escalation Due to Writable Executable in Privileged Visionline Service Path", "datePublic": "2026-03-10T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "affected": [{"vendor": "ASSA ABLOY", "product": "Visionline", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.<p>This issue affects Visionline: from 1.0 before 1.33.</p>"}]}], "references": [{"url": "https://www.vingcard.com/en/service-and-support/product-security-center/hospitality-product-security-advisories"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "CLEAR", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/RE:L/U:Clear"}}], "workarounds": [{"lang": "en", "value": "* Right-click on the folder C:\\ProgramData\\ASSA ABLOY\\Visionline\\webserver\n * Select Properties\n * Select the Security tab\n * Click Advanced\n * Click Disable inheritance\n * Select Convert inherited permissions into explicit permissions on this object\n * Remove Users from the list", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><p></p><ol><li>Right-click on the folder C:\\ProgramData\\ASSA ABLOY\\Visionline\\webserver</li><li>Select Properties</li><li>Select the Security tab</li><li>Click Advanced</li><li>Click Disable inheritance</li><li>Select Convert inherited permissions into explicit permissions on this object</li><li>Remove Users from the list</li></ol><p></p></div>"}]}], "credits": [{"lang": "en", "value": "Withsecure Exposure Management", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:51:35.314328Z", "id": "CVE-2026-3315", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:51:51.504Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3315", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:51:35.314328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:51:42.640Z"}}], "cna": {"title": "Local Privilege Escalation Due to Writable Executable in Privileged Visionline Service Path", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Withsecure Exposure Management"}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 5.8, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/AU:Y/R:U/RE:L/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ASSA ABLOY", "product": "Visionline", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.33", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "datePublic": "2026-03-10T00:00:00.000Z", "references": [{"url": "https://https://www.vingcard.com/en/service-and-support/product-security-center"}], "workarounds": [{"lang": "en", "value": "* Right-click on the folder C:\\ProgramData\\ASSA ABLOY\\Visionline\\webserver\n * Select Properties\n * Select the Security tab\n * Click Advanced\n * Click Disable inheritance\n * Select Convert inherited permissions into explicit permissions on this object\n * Remove Users from the list", "supportingMedia": [{"type": "text/html", "value": "<div><p></p><ol><li>Right-click on the folder C:\\ProgramData\\ASSA ABLOY\\Visionline\\webserver</li><li>Select Properties</li><li>Select the Security tab</li><li>Click Advanced</li><li>Click Disable inheritance</li><li>Select Convert inherited permissions into explicit permissions on this object</li><li>Remove Users from the list</li></ol><p></p></div>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.<p>This issue affects Visionline: from 1.0 before 1.33.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-03-10T09:35:42.236Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3315", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:51:51.504Z", "dateReserved": "2026-02-27T06:40:06.038Z", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "datePublished": "2026-03-10T09:35:42.236Z", "assignerShortName": "NCSC-FI"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:assaabloy:visionline:*:*:*:*:*:*:*:*", "matchCriteriaId": "93D20EB5-410A-478F-B892-8B660E16AF6C", "versionEndExcluding": "1.34.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33."}, {"lang": "es", "value": "Permisos Predeterminados Incorrectos, : Ejecuci\u00f3n con Privilegios Innecesarios, : Asignaci\u00f3n Incorrecta de Permisos para un Recurso Cr\u00edtico vulnerabilidad en ASSA ABLOY Visionline en Windows permite la Manipulaci\u00f3n de la Configuraci\u00f3n/Entorno. Este problema afecta a Visionline: desde 1.0 antes de 1.33."}], "id": "CVE-2026-3315", "lastModified": "2026-05-07T20:41:03.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}]}, "published": "2026-03-10T18:19:01.367", "references": [{"source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "tags": ["Vendor Advisory"], "url": "https://www.vingcard.com/en/service-and-support/product-security-center/hospitality-product-security-advisories"}], "sourceIdentifier": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-276"}, {"lang": "en", "value": "CWE-732"}], "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.33)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Visionline", "source": "cna", "vendor": "ASSA ABLOY"}, "product": "visionline", "vendor": "assa_abloy"}], "analysis": {"en": {"generated_at": "2026-04-16T03:55:00.198188+00:00", "value": {"mitigation_remediation": ["Disable inheritance on the C:\\ProgramData\\ASSA ABLOY\\Visionline\\webserver folder and remove all users from its permission list so that only the Visionline service account retains access", "Upgrade Visionline to version 1.33 or later, which is not affected by this weakness", "Audit and restrict permissions on all directories used by Visionline to allow only the necessary system and service accounts"], "summary": {"action": "Apply Workaround", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "ASSA ABLOY Visionline on Windows, versions 1.0 through 1.32 (i.e., any release before 1.33). The affected component is the webserver directory located at C:\\ProgramData\\ASSA ABLOY\\Visionline.", "description_and_impact": "An incorrect default permission setting on the Visionline webserver directory allows a local user to place a malicious executable with elevated privileges. The vulnerability is classified under execution with unnecessary privileges, incorrect permission assignment, and improper enforcement of correct permissions. An attacker who can write to this directory could replace a legitimate file with a malicious payload and gain elevated local privileges, thereby compromising the underlying Windows system.", "risk_and_exploitability": "The CVSS score of 5.8 indicates moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local account that has permission to write to the Visionline webserver folder; an attacker can replace executables there, leading to local privilege escalation."}}}}, "created": "2026-03-11T11:50:26.629642+00:00", "updated": "2026-04-16T04:00:09.457597+00:00", "vendors": ["assa_abloy", "assa_abloy$PRODUCT$visionline"]}