{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/salto-proaccess-space-6.13/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-11189"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SALTO ProAccess Space \u003c6.13"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","ICS","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["SALTO"],"content_html":"\u003cp\u003eCISA has released an advisory concerning CVE-2026-11889, a privilege escalation vulnerability affecting SALTO ProAccess Space versions prior to 6.13. This flaw, categorized as an Authorization Bypass Through User-Controlled Key (CWE-639), allows an authenticated attacker to gain unauthorized access to spaces beyond their assigned logical partition within the same SALTO ProAccess Space installation. Exploitation requires valid operator credentials and the partitioning feature to be actively enabled within the system. SALTO ProAccess Space is widely used in commercial facilities and critical manufacturing sectors globally for access control and security management. While no public exploitation has been reported to CISA, the vulnerability poses a risk of internal data or access control system compromise for organizations utilizing the affected software with partitioning enabled, impacting the confidentiality and integrity of their access management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid operator credentials for a SALTO ProAccess Space instance.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the SALTO ProAccess Space application using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe authenticated attacker exploits CVE-2026-11889 by manipulating an authorization check via a user-controlled key, bypassing the assigned partition controls.\u003c/li\u003e\n\u003cli\u003eThe system grants the attacker unauthorized access to spaces or data outside their legitimate assigned logical partition.\u003c/li\u003e\n\u003cli\u003eThe attacker can then view or manipulate access controls and sensitive information associated with the unauthorized partitions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-11889 allows an authenticated attacker to escalate their privileges within the SALTO ProAccess Space application, gaining unauthorized access to spaces and data outside their assigned partition. This could lead to a breach of sensitive access control information, unauthorized modification of access rights for physical spaces, and potential disruption of security operations within affected organizations. The vulnerability specifically impacts critical infrastructure sectors such as Commercial Facilities and Critical Manufacturing, which rely on SALTO ProAccess Space for secure access management. While no known public exploitation has been reported, the compromise of logical partition separation could have significant consequences for security and compliance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SALTO ProAccess Space installations to version 6.13 or later to remediate CVE-2026-11189.\u003c/li\u003e\n\u003cli\u003eOperate SALTO ProAccess Space on a protected internal network and avoid direct exposure to the internet, as recommended by SALTO.\u003c/li\u003e\n\u003cli\u003eRestrict operator-level accounts within SALTO ProAccess Space to the minimum required permissions, adhering to least-privilege principles.\u003c/li\u003e\n\u003cli\u003eIf strong tenant separation is not critical, consider disabling the partitioning feature in SALTO ProAccess Space; alternatively, run separate isolated instances instead of relying solely on logical partitioning.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T16:11:18Z","date_published":"2026-07-16T16:11:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-salto-proaccess/","summary":"An authenticated attacker can exploit CVE-2026-11889, a privilege escalation vulnerability in SALTO ProAccess Space versions prior to 6.13, to bypass authorization controls and access spaces outside their assigned partition within the same installation, provided the partitioning feature is enabled.","title":"Privilege Escalation Vulnerability in SALTO ProAccess Space","url":"https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-salto-proaccess/"}],"language":"en","title":"CraftedSignal Threat Feed - SALTO ProAccess Space \u003c6.13","version":"https://jsonfeed.org/version/1.1"}