What is CVE-2026-2999?

CVE-2026-2999 is a publicly disclosed cybersecurity vulnerability with a CRITICAL severity rating and CVSS score of 9.3.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2026-2999

CRITICAL9.3/ 10.0

Published: March 2, 2026 at 07:16 AM

Modified: March 2, 2026 at 08:29 PM

Source: twcert@cert.org.tw

Vulnerability Description

IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary executable files from a remote source and execute them.

CVSS Metrics

Base Score

9.3

Severity

CRITICAL

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses (CWE)

CWE-494

Source: twcert@cert.org.tw

AI Security Analysis

01 // Technical Summary

Unauthenticated remote attackers can exploit a critical vulnerability in the IDExpert Windows Logon Agent, developed by Changing, to achieve remote code execution (RCE). This allows attackers to execute arbitrary code on vulnerable systems, potentially leading to complete system compromise and data exfiltration. The vulnerability requires no user interaction, making it a high-priority threat.

02 // Vulnerability Mechanism

Step 1: Target Identification: The attacker identifies systems running the vulnerable IDExpert Windows Logon Agent.

Step 2: Payload Hosting: The attacker sets up a malicious server hosting a specially crafted executable file (payload).

Step 3: Triggering the Vulnerability: The attacker sends a crafted request to the IDExpert Windows Logon Agent, instructing it to download the malicious executable from the attacker's server.

Step 4: File Download: The vulnerable agent downloads the attacker-controlled executable file.

Step 5: Execution: The agent, due to insufficient validation, executes the downloaded malicious executable with the privileges of the agent, resulting in RCE and system compromise.

03 // Deep Technical Analysis

The vulnerability stems from a flaw in the IDExpert Windows Logon Agent's handling of downloaded executable files. Specifically, the agent fails to properly validate the source or integrity of the downloaded files before execution. This allows an attacker to control the download location and content, leading to arbitrary code execution. The root cause likely involves insecure deserialization or a lack of input validation on parameters controlling file download and execution paths. The agent likely uses a privileged context, granting the attacker elevated privileges upon successful exploitation. The lack of proper authentication further exacerbates the issue, enabling any remote attacker to trigger the vulnerability.