Skip to content
Threat Feed
high advisory

CVE-2026-15506: SecureAge CatchPulse Local Privilege Escalation via Heap-based Buffer Overflow

A heap-based buffer overflow vulnerability, CVE-2026-15506, in the `saappctl.sys` driver of SecureAge CatchPulse versions up to 10.9.3 allows a local attacker to achieve privilege escalation, and an exploit has been publicly disclosed.

CVE-2026-15506 identifies a critical security vulnerability within SecureAge CatchPulse, affecting all versions up to and including 10.9.3. The flaw resides in an unspecified function within the saappctl.sys kernel-mode driver component. This vulnerability is characterized as a heap-based buffer overflow, which, when successfully exploited, can lead to privilege escalation. Exploitation requires local access to the affected system. The technical details and a proof-of-concept exploit for this vulnerability have been publicly disclosed, increasing the immediate risk of attacks. For defenders, this means that any system running vulnerable versions of SecureAge CatchPulse is at risk of local privilege escalation if an attacker gains initial low-level access. Organizations using this software should prioritize patching to mitigate the threat.

Attack Chain

  1. Local Access: An attacker gains initial low-privileged access to a system running a vulnerable version of SecureAge CatchPulse. This could be a standard user account or a compromised process.
  2. Malicious Application Execution: The attacker executes a specially crafted local application or script on the compromised system.
  3. Driver Interaction: The malicious application attempts to interact with the vulnerable saappctl.sys kernel-mode driver, targeting an unspecified function.
  4. Heap-based Buffer Overflow Trigger: Through carefully designed input or system calls, the malicious application triggers the heap-based buffer overflow within the saappctl.sys driver.
  5. Arbitrary Kernel Code Execution: Successful exploitation of the buffer overflow leads to arbitrary code execution within the highly privileged kernel context (SYSTEM privileges).
  6. Privilege Escalation and System Compromise: With kernel-level privileges, the attacker can bypass security controls, install persistent malware, manipulate system configurations, or perform any action on the system, leading to full system compromise.

Impact

Successful exploitation of CVE-2026-15506 results in a complete compromise of the affected system. This heap-based buffer overflow allows an attacker with local access to execute arbitrary code with kernel privileges, bypassing all user-mode security restrictions. The CVSS v3.1 score of 7.8 indicates high impacts on confidentiality, integrity, and availability. While initial access is required, the public disclosure of an exploit significantly lowers the bar for attackers, meaning any vulnerable system could be targeted for privilege escalation to gain full control. This could lead to data exfiltration, installation of ransomware, disruption of critical services, or use of the compromised system as a pivot point for further network infiltration.

Recommendation

  • Patch CVE-2026-15506 immediately by upgrading SecureAge CatchPulse to a version greater than 10.9.3.
  • Monitor system logs, particularly those from Windows Event Log or Sysmon related to driver loading and unusual process interactions with kernel modules (e.g., saappctl.sys).
  • Ensure the principle of least privilege is enforced for all users and applications to limit potential initial access and impact of successful exploitation.