CVE-2023-26077 – The Atera Agent on Windows creates temporary fi... (How to Fix)

Q: What is the severity of CVE-2023-26077?

CVE-2023-26077 has a CVSS score of 7.8 (HIGH). The Atera Agent on Windows creates temporary files in directories with insecure permissions, allowing local attackers to write arbitrary files. This affects Windows systems running Atera Agent version 1.8.3.6 and earlier.

📋 TL;DR

The Atera Agent on Windows creates temporary files in directories with insecure permissions, allowing local attackers to write arbitrary files. This affects Windows systems running Atera Agent version 1.8.3.6 and earlier.

💻 Affected Systems

Products:

Atera Agent

Versions: through 1.8.3.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations of Atera Agent.

📦 What is this software?

Atera by Atera

View all CVEs affecting Atera →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to SYSTEM or arbitrary code execution by writing malicious files to sensitive locations.

🟠

Likely Case

Local attackers could write files to gain persistence, escalate privileges, or disrupt system operations.

🟢

If Mitigated

Limited impact if proper file permissions and user access controls are enforced.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the system.

🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access to the system. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.3.7 or later

Vendor Advisory: https://www.atera.com

Restart Required: Yes

Instructions:

1. Update Atera Agent to version 1.8.3.7 or later. 2. Restart the system or service to apply changes.

🔧 Temporary Workarounds

Restrict directory permissions

windows

Manually secure the temporary directory permissions to prevent unauthorized writes.

icacls "C:\ProgramData\Atera\Temp" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F"

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges.
Monitor file creation in Atera temporary directories for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Atera Agent version in Control Panel > Programs and Features or via command: wmic product where name='Atera Agent' get version

Check Version:

wmic product where name='Atera Agent' get version

Verify Fix Applied:

Verify version is 1.8.3.7 or later using the same method.

📡 Detection & Monitoring

Log Indicators:

Unusual file creation in Atera temporary directories
Failed permission changes to Atera directories

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

EventID=4663 AND ObjectName LIKE '%Atera%Temp%' AND Accesses LIKE '%WriteData%'

📊 Metadata

CVE ID: CVE-2023-26077

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: July 24, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/mandiant/Vulnerability-Disclosures Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0008.md Third Party Advisory
https://www.atera.com Product
https://github.com/mandiant/Vulnerability-Disclosures Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0008.md Third Party Advisory
https://www.atera.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26077, you might also want to check these: