CVE-2026-22676 HIGH

CVE-2026-22676: Barracuda RMM < 2025.2.2 Privilege Escalation via Insecure Directory Permissions

Vendor Barracuda Networks
Product RMM
Weakness CWE-732
Published April 15, 2026
Last update April 16, 2026

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle.

Key dates

02Disclosure timeline

April 15, 2026 CVE published
April 16, 2026 Record updated