Array Networks MotionPro Local Privilege Escalation Vulnerability (CVE-2026-26364) Disclosed
A local privilege escalation vulnerability in Array Networks MotionPro, tracked as CVE-2026-26364, allows low-privileged attackers to gain SYSTEM-level access via incorrect permissions in the ArrayInstallManager DCOM application.
Array Networks has disclosed a local privilege escalation vulnerability in its MotionPro VPN client software, tracked as CVE-2026-26364 and ZDI-26-177. The flaw resides in the ArrayInstallManager DCOM application, where incorrect permission assignments allow an attacker with low-privileged code execution on the target system to escalate privileges to SYSTEM. This could enable full compromise of the affected endpoint, including arbitrary code execution with the highest Windows privileges.
The vulnerability was reported to Array Networks on May 21, 2025, and a coordinated public advisory was released on March 10, 2026. The issue has been fixed in MotionPro version 1.2.28, which is available for download from the Array Networks support portal. Organizations using earlier versions of MotionPro are urged to update immediately to mitigate the risk of local privilege escalation attacks.
MotionPro is a widely deployed VPN client used by enterprises to provide secure remote access to corporate networks. Because the vulnerability requires local access — meaning the attacker must already have the ability to execute low-privileged code on the machine — the primary threat scenario involves post-exploitation or insider threats. An attacker who has already compromised a user account could leverage this flaw to gain full administrative control over the system, potentially moving laterally across the network.
The vulnerability carries a CVSS score of 7.8 (High), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that exploitation is relatively straightforward for an attacker with local access and low privileges, requiring no user interaction. The impact on confidentiality, integrity, and availability is rated as High.
Array Networks has not reported any active exploitation of CVE-2026-26364 in the wild as of the advisory date. However, given the critical nature of VPN clients as an attack surface — often targeted by ransomware groups and advanced persistent threats — security teams should prioritize patching. The disclosure follows a broader trend of increasing scrutiny on VPN software vulnerabilities, which have been a frequent vector for initial access in major breaches.
Administrators are advised to update MotionPro to version 1.2.28 or later and to review local privilege configurations on endpoints. Additionally, monitoring for unusual privilege escalation attempts and restricting local user permissions can help reduce the attack surface. The credit for discovering the vulnerability goes to an anonymous researcher.