Privilege Escalation in Fortra File Integrity Monitoring (FIM)
Summary
| CVE | CVE-2026-12164 |
|---|---|
| State | PUBLISHED |
| Assigner | Fortra |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-23 23:16:49 UTC |
| Updated | 2026-06-23 23:16:49 UTC |
| Description | Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles or role-permission relationships. |
Risk And Classification
Primary CVSS: v3.1 4.4 MEDIUM from df4dee71-de3a-4139-9588-11b62fe6c0ff
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Problem Types: CWE-266 | CWE-266 CWE-266 Incorrect privilege assignment
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | df4dee71-de3a-4139-9588-11b62fe6c0ff | Secondary | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | CNA | CVSS | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
HighUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Fortra | File Integrity Monitoring FIM | affected 9.4.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.fortra.com/security/advisories/product-security/fi-2026-010 | df4dee71-de3a-4139-9588-11b62fe6c0ff | www.fortra.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Upgrade to version 9.4.0 or later.
There are currently no legacy QID mappings associated with this CVE.