{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24466", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-23T00:31:37.485Z", "datePublished": "2026-02-09T06:59:30.186Z", "dateUpdated": "2026-02-09T15:43:46.605Z"}, "containers": {"cna": {"affected": [{"vendor": "Oki Electric Industry Co., Ltd.", "product": "See \"References\" section", "versions": [{"version": "See \"References\" section", "status": "affected"}]}, {"vendor": "Ricoh Company, Ltd.", "product": "See \"References\" section", "versions": [{"version": "See \"References\" section", "status": "affected"}]}, {"vendor": "Murata Machinery, Ltd.", "product": "See \"References\" section", "versions": [{"version": "See \"References\" section", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}], "problemTypes": [{"descriptions": [{"description": "Unquoted search path or element", "lang": "en-US", "cweId": "CWE-428", "type": "CWE"}]}], "references": [{"url": "https://www.oki.com/jp/product_security/sa_2026_0001_en.html"}, {"url": "https://www.oki.com/jp/printing/support/important-information/2026/info-260209/index.html"}, {"url": "https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2026-000002"}, {"url": "https://www.muratec.jp/ce/support/announce_sp_20260209.html"}, {"url": "https://jvn.jp/en/jp/JVN55395471/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-09T06:59:30.186Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:43:38.709818Z", "id": "CVE-2026-24466", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:43:46.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:43:38.709818Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:43:43.292Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Oki Electric Industry Co., Ltd.", "product": "See \"References\" section", "versions": [{"status": "affected", "version": "See \"References\" section"}]}, {"vendor": "Ricoh Company, Ltd.", "product": "See \"References\" section", "versions": [{"status": "affected", "version": "See \"References\" section"}]}, {"vendor": "Murata Machinery, Ltd.", "product": "See \"References\" section", "versions": [{"status": "affected", "version": "See \"References\" section"}]}], "references": [{"url": "https://www.oki.com/jp/product_security/sa_2026_0001_en.html"}, {"url": "https://www.oki.com/jp/printing/support/important-information/2026/info-260209/index.html"}, {"url": "https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2026-000002"}, {"url": "https://www.muratec.jp/ce/support/announce_sp_20260209.html"}, {"url": "https://jvn.jp/en/jp/JVN55395471/"}], "descriptions": [{"lang": "en", "value": "Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-428", "description": "Unquoted search path or element"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-09T06:59:30.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24466", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:43:46.605Z", "dateReserved": "2026-01-23T00:31:37.485Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-09T06:59:30.186Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}, {"lang": "es", "value": "Productos proporcionados por Oki Electric Industry Co., Ltd. y sus productos OEM (Ricoh Co., Ltd., Murata Machinery, Ltd.) registran servicios de Windows con rutas de archivo sin comillas. Un usuario con permiso de escritura en el directorio ra\u00edz de la unidad del sistema puede ejecutar c\u00f3digo arbitrario con privilegios de SYSTEM."}], "id": "CVE-2026-24466", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-09T07:16:18.463", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2026-000002"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN55395471/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.muratec.jp/ce/support/announce_sp_20260209.html"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.oki.com/jp/printing/support/important-information/2026/info-260209/index.html"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.oki.com/jp/product_security/sa_2026_0001_en.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "See \"References\" section"}}], "product": "murata_products", "vendor": "murata_machinery"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "See \"References\" section"}}], "product": "oki_products", "vendor": "oki_electric_industry"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "See \"References\" section"}}], "product": "ricoh_products", "vendor": "ricoh_company"}], "analysis": {"en": {"generated_at": "2026-04-17T21:34:20.610392+00:00", "value": {"mitigation_remediation": ["Replace or quote the unquoted service path in the Windows service configuration and reinstall the service", "Restrict write access to the root of the system drive to administrators only and monitor for unauthorized changes", "If a vendor update is not yet available, disable the vulnerable service or move it to a location with properly quoted paths", "Verify that the service is running with the intended account and that the DLL path is secure"], "summary": {"action": "Apply Patch", "impact": "Local Privilege Escalation via Unquoted Service Path"}, "threat_synthesis": {"affected_systems": "Affected vendors are Oki Electric Industry Co., Ltd., Ricoh Company Ltd., and Murata Machinery Ltd. The vulnerability exists in their OEM-registered Windows services, but no specific version or firmware information is provided in the advisory. Systems running these OEM services on Windows are at risk.", "description_and_impact": "Products from Oki Electric Industry, Ricoh, and Murata Machinery register Windows services that use unquoted file paths. A user with write access to the system\u2011drive root can create or replace a DLL referenced by the service without the service\u2019s path being quoted. When the authenticated service starts, the injected DLL executes under the SYSTEM account, allowing arbitrary code execution with full system privileges. This can lead to complete control over the host, including configuration changes, persistence, or further lateral movement.", "risk_and_exploitability": "The CVSS v3 score of 8.4 classifies the issue as high severity. The EPSS score is below 1%, indicating that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires a local user with write permissions to the system\u2011drive root; if such access exists, the flaw can be readily exploited. Remote exploitation would require an additional vector to gain write access. Overall, the risk is significant for organizations that have non\u2011administrator accounts with root\u2011drive write rights on affected machines."}}}}, "created": "2026-02-12T11:19:47.819465+00:00", "title": "Unquoted Windows Service Path Enables SYSTEM\u2011Privilege Exploitation on Oki Electric and OEM Printers", "updated": "2026-04-17T21:45:28.621154+00:00", "vendors": ["murata_machinery", "murata_machinery$PRODUCT$murata_products", "oki_electric_industry", "oki_electric_industry$PRODUCT$oki_products", "ricoh_company", "ricoh_company$PRODUCT$ricoh_products"]}