Attack Chain

1. Attacker identifies a vulnerable UAC instance running a version prior to 3.3.0-rc1.
2. Attacker crafts a malicious input string containing shell metacharacters or command substitutions, targeting either %line% values in foreach iterators, or the %user% and %user_home% values.
3. The attacker-controlled input is passed to UAC, potentially via a configuration file, command-line argument, or other input mechanism.
4. UAC’s _run_command() function receives the malicious input and performs placeholder substitution.
5. The resulting command string, now containing the injected commands, is passed to the eval function without proper sanitization.
6. The eval function executes the attacker-injected commands with the privileges of the UAC process.
7. The attacker gains arbitrary code execution on the system.
8. The attacker can then perform actions such as data exfiltration, system compromise, or lateral movement within the network.

Impact

The command injection vulnerability in UAC before 3.3.0-rc1 allows attackers to execute arbitrary commands on the affected system. The impact of successful exploitation includes complete system compromise, data breaches, and potential for lateral movement to other systems within the network. Since UAC is used to collect artifacts, successful exploitation could lead to the collection of sensitive data from the compromised system, which could then be exfiltrated. The specific number of potential victims is unknown.

Recommendation

• Upgrade UAC to version 3.3.0-rc1 or later to patch CVE-2026-40032.
• Implement input validation and sanitization for all user-supplied input, particularly those used in command construction and execution, to prevent command injection vulnerabilities.
• Monitor process execution for unexpected or unauthorized commands originating from the UAC process, using the Sigma rules provided below.