{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23703", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-02-12T07:13:38.504Z", "datePublished": "2026-02-26T05:39:11.471Z", "dateUpdated": "2026-02-26T14:25:14.491Z"}, "containers": {"cna": {"affected": [{"vendor": "Digital Arts Inc.", "product": "FinalCode Ver.5 series", "versions": [{"version": "prior to 5.43R01", "status": "affected"}]}, {"vendor": "Digital Arts Inc.", "product": "FinalCode Ver.6 series", "versions": [{"version": "prior to 6.51R01", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege."}], "problemTypes": [{"descriptions": [{"description": "Incorrect default permissions", "lang": "en-US", "cweId": "CWE-276", "type": "CWE"}]}], "references": [{"url": "https://www.daj.jp/shared/php/downloadset/c/parts.php?page=dl&filename=information_20260226_01.pdf"}, {"url": "https://jvn.jp/en/jp/JVN48498976/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-26T05:39:11.471Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:25:01.795668Z", "id": "CVE-2026-23703", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:25:14.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T14:25:01.795668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:25:08.844Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Digital Arts Inc.", "product": "FinalCode Ver.5 series", "versions": [{"status": "affected", "version": "prior to 5.43R01"}]}, {"vendor": "Digital Arts Inc.", "product": "FinalCode Ver.6 series", "versions": [{"status": "affected", "version": "prior to 6.51R01"}]}], "references": [{"url": "https://www.daj.jp/shared/php/downloadset/c/parts.php?page=dl&filename=information_20260226_01.pdf"}, {"url": "https://jvn.jp/en/jp/JVN48498976/"}], "descriptions": [{"lang": "en", "value": "The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-276", "description": "Incorrect default permissions"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-26T05:39:11.471Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23703", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:25:14.491Z", "dateReserved": "2026-02-12T07:13:38.504Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-26T05:39:11.471Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege."}, {"lang": "es", "value": "El instalador de FinalCode Cliente proporcionado por Digital Arts Inc. contiene una vulnerabilidad de permisos predeterminados incorrectos. Un usuario no administrativo puede ejecutar c\u00f3digo arbitrario con privilegios de SYSTEM."}], "id": "CVE-2026-23703", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-26T06:17:15.893", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN48498976/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.daj.jp/shared/php/downloadset/c/parts.php?page=dl&filename=information_20260226_01.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.43R01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "FinalCode Ver.5 series", "source": "cna", "vendor": "Digital Arts Inc."}, "product": "finalcode_ver.5_series", "vendor": "digital_arts"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.51R01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "FinalCode Ver.6 series", "source": "cna", "vendor": "Digital Arts Inc."}, "product": "finalcode_ver.6_series", "vendor": "digital_arts"}], "analysis": {"en": {"generated_at": "2026-04-17T14:25:29.499593+00:00", "value": {"mitigation_remediation": ["Install a verified, up\u2011to\u2011date version of FinalCode Client that corrects the installer permissions flaw.", "If an update is unavailable, restrict the installer executable\u2019s permissions so that only members of the Administrators group can run it.", "Configure local security policies or AppLocker rules to block execution of installers from untrusted locations for standard users, thereby preventing the privilege escalation pathway."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to SYSTEM"}, "threat_synthesis": {"affected_systems": "Digital Arts Inc. FinalCode version 5 series and version 6 series are affected. All installations that deploy the provided installer package are vulnerable until corrected.", "description_and_impact": "The installer bundled with Digital Arts Inc.'s FinalCode Client has an incorrect default permissions setting that allows a user without administrative rights to gain SYSTEM level privileges by executing arbitrary code during installation. This flaw is a classic example of improper privilege assignment (CWE\u2011276) and can be leveraged to run any code with full system authority on the affected machine.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.5 and an EPSS probability of less than one percent, indicating a low likelihood of widespread exploitation. The flaw is currently not listed in CISA\u2019s KEV catalog. Exploitation requires local access to run the installer, but once executed it can elevate any non\u2011admin user to SYSTEM, providing full control over the host."}}}}, "created": "2026-02-26T13:09:40.357005+00:00", "title": "Incorrect Default Permissions in FinalCode Client Installer Enable SYSTEM Privilege Escalation", "updated": "2026-04-17T14:30:20.827146+00:00", "vendors": ["digital_arts", "digital_arts$PRODUCT$finalcode_ver.5_series", "digital_arts$PRODUCT$finalcode_ver.6_series"]}