Home / Vulnerability Intelligence / CVE-2026-24068

CVE-2026-24068 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 26, 2026

VSL privileged helper - Broken Access Control

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

VSL privileged helper contains a broken access control caused by missing client validation in NSXPC 'shouldAcceptNewConnection' function, letting any process write files or execute commands, exploit requires no special privileges.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Any process can write arbitrary files and execute commands, leading to full privilege escalation on the system.

Mitigation

Update to the latest version with proper NSXPC client validation.

References

https://r.sec-consult.com/vsl

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-24068 - High (8.8) The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24068/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-24068
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 3.9%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days