CVE-2026-28267

Vulnerability

Overview

Multiple i-フィルター products from Digital Arts Inc. are affected by an incorrect default permissions vulnerability [CWE-276]. The software installs or configures directories with file access permission settings that are too permissive, allowing a local non-administrative user to create or overwrite files in the system directory or the backup directory [1]. This issue is tracked as CVE-2026-28267.

Exploitation

Details

Exploitation requires local access to the Windows system and a non-administrative user account (privilege level PR:L). No user interaction is needed (UI:N) and the attack complexity is low (AC:L). An attacker can write arbitrary files to sensitive locations without needing to escalate privileges first [1].

Potential

Impact

The integrity impact is rated high (I:H), as the attacker can modify system files or backup data, potentially leading to persistent tampering, data corruption, or subsequent privilege escalation if the written files are executed or processed by a higher integrity process. Confidentiality and availability are not directly affected [1].

Mitigation

Status

Digital Arts has released updates to fix the permissions for the affected products, including i-フィルター 10 (Ver.10.02.00), i-フィルター 6.0 (Ver.6.00.57), and others listed in the advisory [1]. Users of any i-フィルター product (Windows version) or resold variants from OPTiM, Inventit, or Fujitsu are advised to apply the latest version. Note that this does not affect Digital Arts’ separate i-FILTER product [1].