{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/runzero/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5373"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve","runzero"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5373 is an improper privilege management vulnerability affecting the runZero platform. This vulnerability allows administrators with \u0026ldquo;all-organization\u0026rdquo; privileges to escalate the privileges of other accounts to superuser status. This could allow a malicious or compromised administrator account to gain complete control over the runZero platform instance. The vulnerability is classified as CWE-269 (Improper Privilege Management) and has a CVSS v3.1 score of 8.1 (High). The vulnerability was patched in runZero Platform version 4.0.260202.0. This issue allows an attacker with admin access to gain complete control over the platform.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a runZero platform instance with \u0026ldquo;all-organization\u0026rdquo; privileges. This could be achieved through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the user management section of the runZero platform.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a target user account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026ldquo;promote to superuser\u0026rdquo; functionality, which due to the vulnerability, does not have proper validation.\u003c/li\u003e\n\u003cli\u003eThe runZero platform incorrectly elevates the target user\u0026rsquo;s privileges to superuser.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in as the newly promoted superuser account.\u003c/li\u003e\n\u003cli\u003eThe attacker now has full control over the runZero platform, including access to sensitive data and the ability to modify system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5373 allows an attacker with compromised administrator credentials to escalate privileges to superuser, gaining complete control over the runZero platform. This could lead to the exposure of sensitive asset data, the modification of network configurations, and potentially the compromise of other systems connected to the runZero platform. The exact number of affected organizations is unknown, but all installations prior to version 4.0.260202.0 are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all runZero platform instances to version 4.0.260202.0 or later to patch CVE-2026-5373.\u003c/li\u003e\n\u003cli\u003eMonitor runZero platform logs for any unusual activity related to user privilege changes. Enable process creation logging to detect unusual activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all runZero administrator accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts by monitoring for unexpected user role changes.\u003c/li\u003e\n\u003cli\u003eReview and restrict administrator privileges according to the principle of least privilege.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:17:47Z","date_published":"2026-04-07T15:17:47Z","id":"/briefs/2026-04-runzero-privesc/","summary":"CVE-2026-5373 is an improper privilege management vulnerability in the runZero platform that allows all-organization administrators to promote accounts to superuser status, which was fixed in version 4.0.260202.0.","title":"runZero Platform Superuser Privilege Escalation (CVE-2026-5373)","url":"https://feed.craftedsignal.io/briefs/2026-04-runzero-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Runzero","version":"https://jsonfeed.org/version/1.1"}