runZero Platform Superuser Privilege Escalation (CVE-2026-5373)

CVE-2026-5373 is an improper privilege management vulnerability affecting the runZero platform. This vulnerability allows administrators with “all-organization” privileges to escalate the privileges of other accounts to superuser status. This could allow a malicious or compromised administrator account to gain complete control over the runZero platform instance. The vulnerability is classified as CWE-269 (Improper Privilege Management) and has a CVSS v3.1 score of 8.1 (High). The vulnerability was patched in runZero Platform version 4.0.260202.0. This issue allows an attacker with admin access to gain complete control over the platform.

Attack Chain

1. An attacker gains administrative access to a runZero platform instance with “all-organization” privileges. This could be achieved through compromised credentials or other means.
2. The attacker navigates to the user management section of the runZero platform.
3. The attacker selects a target user account.
4. The attacker uses the “promote to superuser” functionality, which due to the vulnerability, does not have proper validation.
5. The runZero platform incorrectly elevates the target user’s privileges to superuser.
6. The attacker logs in as the newly promoted superuser account.
7. The attacker now has full control over the runZero platform, including access to sensitive data and the ability to modify system configurations.

Impact

Successful exploitation of CVE-2026-5373 allows an attacker with compromised administrator credentials to escalate privileges to superuser, gaining complete control over the runZero platform. This could lead to the exposure of sensitive asset data, the modification of network configurations, and potentially the compromise of other systems connected to the runZero platform. The exact number of affected organizations is unknown, but all installations prior to version 4.0.260202.0 are potentially vulnerable.

Recommendation

• Upgrade all runZero platform instances to version 4.0.260202.0 or later to patch CVE-2026-5373.
• Monitor runZero platform logs for any unusual activity related to user privilege changes. Enable process creation logging to detect unusual activity.
• Implement multi-factor authentication for all runZero administrator accounts to reduce the risk of credential compromise.
• Deploy the Sigma rule to detect potential exploitation attempts by monitoring for unexpected user role changes.
• Review and restrict administrator privileges according to the principle of least privilege.