Fujitsu ServerView Privilege-Escalation Flaws: CVE-2026-27788 / CVE-2026-32325, Update Now

blog/Articles/Fujitsu ServerView Server-Management Software: Privilege-Escalation Flaws, CVE-2026-27788 / CVE-2026-32325

News Updated today

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.017 min1 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

Two privilege-escalation flaws were found in ServerView Agents for Windows, the server-management software from Fujitsu-affiliated Fsas Technologies. Anyone who can log in to the server can seize Windows' highest privilege and take over data and other servers. Severity CVSS 8.5; V11.60.04 and earlier affected. Update now.

Two privilege-escalation vulnerabilities have been found in "ServerView Agents for Windows," the server-management software supplied by Fujitsu-affiliated Fsas Technologies (JVN#67883085, published May 29, 2026). The affected versions are V11.60.04 and earlier, and both flaws carry a severity of CVSS 8.5 (out of 10). Anyone who can log in to the server can seize SYSTEM privileges, the highest level of authority in Windows, and freely take over the entire machine. The flaws were reported by Masahiro Iida of LAC Co., Ltd. This is not a flaw anyone can attack remotely without credentials; it is "local privilege escalation," abused by someone who already has a way to log in to the server. Fsas Technologies urges users to update to the latest version.

ServerView Agents is a "server-management agent" that runs resident on Fujitsu's PRIMERGY servers, monitoring hardware status such as temperature, power, disks, and fans, and reporting it to administrators. It is widely deployed across data centers in government, finance, and manufacturing, and at sites running many PRIMERGY units it is effectively installed on nearly every machine. The flaw lies in how this resident software handles permissions: the highest level of authority, which should be limited to a few people, was left within reach of ordinary users.

Privilege escalation refers to a user with only limited rights illicitly obtaining higher-level authority they were never meant to have. Both of these flaws are of this type, and they are assigned the CVE numbers CVE-2026-27788 and CVE-2026-32325. In addition to JVN, each CVE can be confirmed in the U.S. National Institute of Standards and Technology database NVD. We look at the two flaws one by one below.

What Are the Two Vulnerabilities (by CVE)

Both flaws have the same outcome, that a user who can log in can seize SYSTEM privileges, but the underlying weakness is classified differently. SYSTEM is the topmost privilege in Windows, provided to run services and drivers; it holds even broader power than a human administrator (Administrator), equivalent to the OS itself.

CVE-2026-27788: Improper Assignment of Access Permissions (CWE-732)

This is a problem in which the access permissions (the settings for who may read, write, or execute) on files, folders, and configuration used by ServerView Agents were assigned more loosely than they should have been. The classification is CWE-732 (Incorrect Permission Assignment for Critical Resource). If an attacker replaces or writes their own file in a location with loose permissions, it ends up running with SYSTEM privileges, and the attacker thereby gains the highest authority. The severity is 8.5 in CVSS v4.0 and 7.8 in v3.0 (the vectors are "local, low privilege required, no user interaction," with high impact on confidentiality, integrity, and availability). See NVD's CVE-2026-27788 for details.

CVE-2026-32325: Privilege Escalation (CWE-268)

This flaw is a defect in privilege management itself, allowing a limited user to escalate to higher-level privileges. The classification is CWE-268 (Privilege Management failures). While its root cause is classified separately from CVE-2026-27788, the result is again seizure of SYSTEM privileges by a user who can log in. The severity is exactly the same as CVE-2026-27788: 8.5 in CVSS v4.0 and 7.8 in v3.0. Because the two are separate weaknesses, closing only one does not make you safe; both must be resolved by updating. Details are at NVD's CVE-2026-32325.

Vulnerability Overview

Item	Details
CVE IDs	CVE-2026-27788 CVE-2026-32325 (2 in total)
Advisory ID	JVN#67883085
Affected product	ServerView Agents for Windows (server-management software for PRIMERGY)
CVSS	Both: v4.0 = 8.5 v3.0 = 7.8
Weakness type	CVE-2026-27788: CWE-732 CVE-2026-32325: CWE-268
Impact	A user who can log in seizes SYSTEM privileges (local privilege escalation)
Affected versions	V11.60.04 and earlier
Fixed version	Update to the latest version (see vendor info for the exact version)
Reporter	Masahiro Iida (LAC Co., Ltd.)
Published	May 29, 2026
Exploitation	Not listed in U.S. CISA KEV (no exploitation confirmed)

As of June 1, 2026, this case is not listed in the "Known Exploited Vulnerabilities" catalog (KEV) published by the U.S. CISA (the cybersecurity agency under the U.S. Department of Homeland Security). Because this is not a flaw exploitable remotely without credentials, and because it is a new disclosure coordinated within Japan, no real-world exploitation has been confirmed at this time. Note that the same ServerView Agents for Windows had a separate flaw disclosed in January 2026 concerning file loading in its installer (JVN#65211823 / CVE-2026-24016, V11.50.06 and earlier). It is a different issue from the two here, but organizations running PRIMERGY should check their update status for both.

Could the Person Next to You Already Hold the Master Key

What makes these two flaws frightening is not an outside attack but that "someone who can already log in to the server" can climb up to the highest authority. The foothold could belong to an on-site contractor from an outsourced operations vendor, whoever holds a shared operations account passed around among several people, an intruder who first stole an ordinary employee's ID by phishing, or a former staffer whose account was left active after they left. Once SYSTEM privileges are taken, business systems, customer data, credentials, and even backups become reachable. The moment this CVE is abused, an entire server is taken over by a user who was supposed to have only limited rights.

The damage does not stop at that one machine. With the highest authority in hand, the attacker uses ServerView's hardware-management feature as an entry point to move laterally to other PRIMERGY units on the same management network, taking over multiple machines one after another. From there, if they proceed to exfiltrating core data, destroying backups, and deploying ransomware across every machine, the very foundation for recovery is lost. Because the management agent is installed in common on every machine, a single weakness becomes a "master key that works on the whole fleet," which is the troubling part.

The responsibility for this chain falls back on the company operating the servers and on the data center operator. If personal data leaks, notification to the individuals and a report to the Personal Information Protection Commission become necessary; if operations were contracted out, breach of the SLA (service-level agreement) brings liability; and the loss from halted core systems and the collapse of trust press down at the same time. Precisely because it was a hole in internal privilege management rather than a blow from outside, whether you can act now on updates and account cleanup directly determines the safety of the site.

Is Your Environment at Risk (Quick-Reference Table)

The level of risk depends on the version of ServerView Agents and on how tightly you have narrowed down the accounts that can log in to that server. Check which state your PRIMERGY is in using the table below. The target OS is Windows; the Linux edition (ServerView Agents for Linux) is out of scope here.

ServerView Agents version	OS	Login-account management state	Risk and action to take
V11.60.04 or earlier	Windows	Shared accounts exist contractors can also log in	Maximum risk. Highest authority can be seized Update now + audit accounts
V11.60.04 or earlier	Windows	Login limited to a few individual accounts	High risk. Insider/contractor abuse remains Update; monitor audit logs until then
V11.60.04 or earlier	Windows	Login holders unknown (no audit done)	High risk. You can't tell who can abuse it First, enumerate login rights
Latest (updated)	Windows	Any state	These 2 are resolved Keep minimizing accounts
Linux edition	Linux	Any state	Out of scope for JVN#67883085 Check vendor info separately

What to Do Right Now (Countermeasures)

The most reliable countermeasure is to update to the latest version provided by Fsas Technologies. Both flaws are resolved by the update. Until the update reaches every machine, you need operational measures so that "no one" can escalate to SYSTEM privileges. Proceed in the following order.

1. Update to the latest version. On the Fsas Technologies / Fujitsu support site and security information (PSIRT), confirm the exact latest version number that addresses this case (JVN#67883085), and apply it to every PRIMERGY that falls under the affected versions (V11.60.04 or earlier). Follow the vendor's guidance on the version number and do not leave an old version in place based on assumptions.

2. Audit and minimize the accounts that can log in to the server. This flaw assumes "the ability to log in." Enumerate the accounts that can log in to each PRIMERGY and delete the unnecessary ones. Immediately disable accounts of departed and transferred staff and of contractors whose engagements have ended.

3. Abolish shared accounts and split them per individual. Operations accounts passed around among several people make it impossible to trace who acted, and they are a breeding ground for abuse. As a rule, switch to per-individual accounts so you can record who logged in and when.

4. Restrict local-logon rights. Review the Windows account and rights settings and limit who can log on locally to the server to only those who truly need it for their work. The aim is to reduce the very entry points that can serve as a foothold.

5. Check ServerView's permissions and file ACLs. Inspect the access permissions (ACL, the list of who may read, write, or execute) on the folders, files, and services that ServerView uses, to ensure no loose settings remain that let ordinary users write. CVE-2026-27788 exploits this looseness, so this helps limit harm until the update is applied.

6. Monitor audit logs. Attempts at privilege escalation may leave traces as unfamiliar privilege acquisitions or unexpected operations performed with administrator rights. Add to your monitoring points any suspicious activity under SYSTEM privileges, rewriting of ServerView-related files, and logins in the middle of the night.

The more PRIMERGY units you have lined up, the more ServerView Agents is installed in common on every one of them, so even a single old version left behind becomes a foothold for an attack from within. For rolling out across the entire fleet, the key is "not to feel safe after updating only a representative machine." Cross-check against your asset inventory and confirm down to the point where not a single affected version remains. If you want to quickly grasp the weaknesses lurking in the software you operate in-house, the thinking behind the OSS supply-chain scanner is also a useful reference for taking inventory.