<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SALTO ProAccess Space &lt;6.13 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/salto-proaccess-space-6.13/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 16:11:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/salto-proaccess-space-6.13/feed.xml" rel="self" type="application/rss+xml"/><item><title>Privilege Escalation Vulnerability in SALTO ProAccess Space</title><link>https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-salto-proaccess/</link><pubDate>Thu, 16 Jul 2026 16:11:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-privilege-escalation-salto-proaccess/</guid><description>An authenticated attacker can exploit CVE-2026-11889, a privilege escalation vulnerability in SALTO ProAccess Space versions prior to 6.13, to bypass authorization controls and access spaces outside their assigned partition within the same installation, provided the partitioning feature is enabled.</description><content:encoded><![CDATA[<p>CISA has released an advisory concerning CVE-2026-11889, a privilege escalation vulnerability affecting SALTO ProAccess Space versions prior to 6.13. This flaw, categorized as an Authorization Bypass Through User-Controlled Key (CWE-639), allows an authenticated attacker to gain unauthorized access to spaces beyond their assigned logical partition within the same SALTO ProAccess Space installation. Exploitation requires valid operator credentials and the partitioning feature to be actively enabled within the system. SALTO ProAccess Space is widely used in commercial facilities and critical manufacturing sectors globally for access control and security management. While no public exploitation has been reported to CISA, the vulnerability poses a risk of internal data or access control system compromise for organizations utilizing the affected software with partitioning enabled, impacting the confidentiality and integrity of their access management.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains valid operator credentials for a SALTO ProAccess Space instance.</li>
<li>The attacker authenticates to the SALTO ProAccess Space application using the compromised credentials.</li>
<li>The authenticated attacker exploits CVE-2026-11889 by manipulating an authorization check via a user-controlled key, bypassing the assigned partition controls.</li>
<li>The system grants the attacker unauthorized access to spaces or data outside their legitimate assigned logical partition.</li>
<li>The attacker can then view or manipulate access controls and sensitive information associated with the unauthorized partitions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-11889 allows an authenticated attacker to escalate their privileges within the SALTO ProAccess Space application, gaining unauthorized access to spaces and data outside their assigned partition. This could lead to a breach of sensitive access control information, unauthorized modification of access rights for physical spaces, and potential disruption of security operations within affected organizations. The vulnerability specifically impacts critical infrastructure sectors such as Commercial Facilities and Critical Manufacturing, which rely on SALTO ProAccess Space for secure access management. While no known public exploitation has been reported, the compromise of logical partition separation could have significant consequences for security and compliance.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all SALTO ProAccess Space installations to version 6.13 or later to remediate CVE-2026-11189.</li>
<li>Operate SALTO ProAccess Space on a protected internal network and avoid direct exposure to the internet, as recommended by SALTO.</li>
<li>Restrict operator-level accounts within SALTO ProAccess Space to the minimum required permissions, adhering to least-privilege principles.</li>
<li>If strong tenant separation is not critical, consider disabling the partitioning feature in SALTO ProAccess Space; alternatively, run separate isolated instances instead of relying solely on logical partitioning.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>privilege-escalation</category><category>ICS</category><category>authorization-bypass</category></item></channel></rss>