CVE-2026-51119 in Invixium IXM WEBinfo

Summary

by MITRE • 07/10/2026

An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability identified in Invixium IXM WEB version 2.3.85.25 represents a critical privilege escalation flaw within the application's user management subsystem. This issue manifests through the /SystemUsers/CreateAppUser component which fails to properly validate authorization contexts during user creation operations. The flaw allows an attacker with limited access privileges to manipulate the system's user hierarchy and potentially gain administrative rights through improper input handling and insufficient access control enforcement mechanisms.

This vulnerability falls under the CWE-269: "Improper Privilege Management" category, specifically manifesting as inadequate authorization checks within the application's authentication framework. The root cause lies in the failure of the CreateAppUser endpoint to verify whether the requesting entity possesses sufficient privileges to create new user accounts with elevated permissions. Attackers can exploit this by crafting malicious requests that bypass normal access controls and inject privileged user creation commands into the system's user management pipeline.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with potential pathways to compromise the entire system infrastructure. Once an attacker successfully exploits this weakness, they can create new administrator accounts with full system access, effectively undermining the application's security model and potentially gaining persistence within the network environment. The vulnerability affects the integrity and confidentiality of the system by allowing unauthorized entities to manipulate user access controls and escalate their privileges without proper authentication mechanisms.

Security professionals should implement immediate mitigations including strengthening input validation on all user creation endpoints, enforcing mandatory role-based access controls, and implementing comprehensive audit logging for privilege-related operations. Organizations must also consider applying the principle of least privilege to limit the scope of potential exploitation and ensure that administrative functions require additional verification steps beyond basic authentication. The attack surface can be reduced by implementing proper authorization checks at multiple layers within the application architecture and ensuring that all user creation operations validate the requesting entity's permissions against predefined access control lists.

From an ATT&CK framework perspective, this vulnerability maps to T1078: Valid Accounts and T1548: Abuse Elevation of Privilege techniques, as attackers can leverage legitimate system accounts to escalate their privileges through improper authorization controls. The affected system components should undergo comprehensive security assessments including penetration testing and code review processes to identify similar weaknesses in related user management functions and ensure proper implementation of access control mechanisms throughout the application's architecture.

The remediation process requires immediate patching of the vulnerable component and implementation of robust input sanitization procedures that validate all parameters passed to the CreateAppUser endpoint. Security configurations should be reviewed to ensure that default administrative accounts are properly secured and that privilege escalation paths are eliminated through proper authorization enforcement. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other system components and maintain a strong security posture against evolving threat landscapes.

Responsible

MITRE

Reservation

06/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!