Share
## https://sploitus.com/exploit?id=6CD7F605-3A07-5DDB-BA3D-42D858D5FF26
**CVE ID:** CVE-2026-9789  
**Researcher:** Vo Duc Thang (ugvxb)  
**Acknowledgement:** https://community.acer.com/en/kb/articles/19670  
**Video POC:** https://drive.google.com/file/d/1B8b42bE68CWMnlqG6eJWi0txGFsHAJZc/view?usp=sharing 

## 1. Executive Summary

A critical local privilege escalation vulnerability has been discovered in Acer NitroSense software (PSAdminAgent.exe). The vulnerability allows any authenticated local user to delete arbitrary files with SYSTEM privileges, potentially leading to complete system compromise through DLL hijacking or security software bypass.

---

## 2. Vulnerability Details

### 2.1 Overview

The PSAdminAgent.exe service creates a named pipe with an overly permissive Access Control List (ACL) that allows any authenticated user to connect and send commands. The service processes file deletion commands without validating the caller's privileges or restricting the target paths. Since the service runs with SYSTEM privileges, this allows any local user to delete arbitrary files as SYSTEM.

### 2.2 Root Cause Analysis

**Issue 1: Weak Named Pipe ACL**

The named pipe is created with the following Security Descriptor Definition Language (SDDL) string:

```
D:(A;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
```

Decoded:

| ACE | SID | Permission | Risk |
|-----|-----|------------|------|
| A;OICI;GA;;;BG | Built-in Guests | GENERIC_ALL | **CRITICAL** - Guests have full control |
| D;OICI;GA;;;AN | Anonymous | GENERIC_ALL (Deny) | Correct |
| A;OICI;GRGWGX;;;AU | Authenticated Users | Read/Write/Execute | **HIGH** - Any user can send commands |
| A;OICI;GA;;;BA | Built-in Administrators | GENERIC_ALL | Expected |

**Issue 2: No Path Validation**

The delete_file command handler passes user-supplied paths directly to the Windows `DeleteFileW` API without any validation or restriction.

**Issue 3: No Caller Authentication**

The service does not verify that the connecting client is an authorized Acer application, allowing any process to send commands.

---

## 3. Affected Commands

Based on reverse engineering analysis, the following command is confirmed exploitable:

| Command ID | Function | Risk |
|------------|----------|------|
| 0x0003 | delete_file | **CRITICAL** - Arbitrary file deletion |

---

### 3.1 Vulnerable Function Locations (PSAdminAgent.exe)

| Function | Address | Description |
|----------|---------|-------------|
| Pipe Creation | 0x140015ea0 | Creates named pipe with weak ACL |
| Command Dispatch | 0x140008d14 | Routes commands via jump table |
| delete_file Handler | 0x1400094e0 | Calls DeleteFileW without validation |

### 3.2 SDDL String Location

Address: 0x140059810

```
D:(A;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
```

### 3.3 Command Dispatch Table

Address: 0x140057950

```
[0x00] -> 0x140009080
[0x01] -> 0x140009310
[0x02] -> 0x1400093a0
[0x03] -> 0x1400094e0  (delete_file)  0x140009610
[0x05] -> 0x1400097c0
...
[0x0E] -> 0x14000a950
```

### 3.4 Confirmed Vulnerable Code Path

```
PSAdminAgent.exe
    -> Named Pipe: \\.\pipe\PredatorSense_admin_agent_X
        -> Command Handler (0x140008d14)
            -> CMD 0x0003: delete_file (0x1400094e0)
                -> DeleteFileW(user_supplied_path)  <- NO VALIDATION
```

---

## 4. Risk Assessment

### 4.1 CVSS v4.0 Score

| Metric | Value |
|--------|-------|
| **CVSS 4.0 Vector** |AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| **CVSS Base Score** | **8.5 (HIGH)** |

---

## 5. References

- CWE-732: https://cwe.mitre.org/data/definitions/732.html
- CWE-284: https://cwe.mitre.org/data/definitions/284.html
- CWE-22: https://cwe.mitre.org/data/definitions/22.html
- CWE-269: https://cwe.mitre.org/data/definitions/269.html

## 6. Disclaimer

This poc is for educational and authorized security research purposes only. The author is not responsible for any misuse. Exploitation without authorization is illegal.