CVE-2026-51119

Invixium · IXM WEB

Invixium IXM WEB v.2.3.85.25 contains a privilege escalation vulnerability in the /SystemUsers/CreateAppUser component that allows unauthorized users to elevate their access level.

Executive summary

A critical privilege escalation vulnerability in Invixium IXM WEB allows unauthenticated attackers to gain unauthorized administrative access to the system.

Vulnerability

This is a privilege escalation vulnerability located within the /SystemUsers/CreateAppUser endpoint. The flaw allows an unauthenticated attacker to manipulate system user creation processes, effectively bypassing authorization controls.

Business impact

The ability for an unauthenticated user to escalate privileges represents a catastrophic security failure, potentially granting full control over physical access management systems. With a CVSS score of 9.1, this vulnerability poses a severe risk of unauthorized access to sensitive facilities and user data, leading to significant operational and physical security compromises.

Remediation

Immediate Action: Contact Invixium support immediately to obtain a patch or mitigation for version 2.3.85.25, as no public patch is currently documented.

Proactive Monitoring: Review system access logs for any irregular activity related to the /SystemUsers/CreateAppUser endpoint and monitor for unexpected new user account creation.

Compensating Controls: Implement strict network segmentation to ensure the IXM WEB interface is not exposed to the public internet and restrict access to authorized management networks only.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical nature of this privilege escalation flaw, administrators must prioritize restricting network access to the affected software immediately. Reach out to the vendor for formal remediation guidance and ensure that any administrative interfaces are hidden behind VPNs or robust authentication gateways until a patch is applied.