// 5 ZERO-DAY · 3 CVE · 5 EXPLOIT IN THE LAST 24H
ZDI-26-432 (CVE-2026-13268, CVSS 7.8) details a symbolic link following attack in the G DATA Total Security Backup Service. Here is the mechanism and the danger for organizations.

On July 15, 2026, Trend Micro published advisory ZDI-26-432, documenting a vulnerability in the G DATA Total Security Backup Service. The flaw, cataloged as CVE-2026-13268 with a CVSS score of 7.8, allows an attacker with limited local access to escalate privileges to SYSTEM through a symbolic link following attack. The report was sent to the vendor on February 12: five months of coordination that end with public disclosure without the dossier confirming an available patch.

Key Takeaways
  • Vulnerability ZDI-26-432 (CVE-2026-13268, CVSS 7.8) affects the G DATA Total Security Backup Service and was publicly disclosed on July 15, 2026.
  • The attack mechanism exploits a symbolic link to induce the service to delete arbitrary files, resulting in escalation to SYSTEM privileges.
  • A prerequisite of local access with low-privilege code execution is required: this is not a remote attack.
  • The ZDI–G DATA coordination lasted approximately five months, but the dossier does not specify whether a fixed version or dedicated patch exists.

The flaw resides specifically in the Backup Service, a component that operates with elevated privileges to manage backups and operations on system files. According to the ZDI advisory, the service does not properly validate paths when processing directories accessible to unprivileged users. An attacker who has already obtained code execution with limited privileges can create a symbolic link in a controlled location: when the backup service interacts with that path, the link following redirects it to arbitrary system files.

The immediate effect is the unauthorized deletion of files, but the vector extends further. The advisory explicitly states that the attacker can "leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM." The transition from file deletion to arbitrary execution with maximum privileges indicates that the service, beyond following links, performs subsequent operations — likely in the handling of temporary or log files — that expose functionality to broader manipulation than intended.

Why SYSTEM Privileges Change the Game

Execution in the SYSTEM context represents the highest privilege level on Windows, superior even to local administrators in many operational scenarios. An attacker with this access can compromise every aspect of the system: install drivers, modify the registry, alter security binaries, or disable protection mechanisms. In this specific case, the vulnerable product is an endpoint security tool: the operational irony is that a component designed to protect the system — the backup with elevated privileges — becomes the compromise path itself.

The CVSS 7.8 score, according to the advisory table published by ZDI, places the vulnerability in the high-severity band. The value reflects the combination of required local access with total impact on confidentiality, integrity, and availability of the compromised system. However, the full vector string does not emerge, which would have allowed verification of the exact weight distribution across the various parameters.

"By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM." — ZDI Advisory ZDI-26-432

Five Months of Coordination, Few Operational Details

The timeline published by the advisory documents standard ZDI program coordination: report to vendor on February 12, 2026, coordinated release on July 15, 2026. The approximately five-month period is consistent with typical responsible disclosure windows, but does not automatically imply the vendor distributed a fix. The dossier does not list a patched version, does not provide a dedicated fix URL beyond the advisory address itself, and does not identify the researcher who discovered the vulnerability.

The CVE-2026-13268 record, viewable on cve.org, shows a "reserved" status: the identifier is assigned and confirmed, but technical details have not yet been populated by the CNA (CVE Numbering Authority). This is a common pattern in early disclosure phases, but leaves an information gap that organizations must fill with direct verification from the vendor. The ZDI record remains, at present, the most detailed publicly available primary source.

The Recurring Pattern: Security Services as Attack Surface

The vulnerability fits into a pattern documented for years in endpoint security: elevated-privilege processes that interact with shared resources or user directories are systematically exposed to race conditions and path manipulations. Antivirus and backup software are particularly at risk because, by design, they must access every area of the filesystem, operate with maximum permissions, and often expose always-on services that process external or semi-external input.

The symbolic link following attack is not technically sophisticated: it requires the ability to create a link in a location that the privileged service consults, and the absence of path canonicalization checks. The criticality stems from the combination of exploit simplicity with high impact, not from offensive engineering complexity. For organizations deploying G DATA Total Security in multi-user environments or on terminal servers, the risk is concrete: any account with local execution, even heavily restricted, becomes a potential entry point for complete machine compromise.

Why This Matters

The dossier does not specify whether the vulnerable Backup Service is installed by default in all editions of G DATA Total Security or represents an optional component. It is unknown whether fixed product versions exist, or whether the vendor distributed an automatic or manual update during the five months of coordination. The ZDI advisory also does not document whether the vulnerability has been exploited actively in the wild.

The CVSS vector string is not available in the sources, preventing verification of whether the 7.8 score includes variables for complex attack requirements such as specific configuration conditions. Discovery credit is not attributed, eliminating a potential channel for technical deep-dive through the researcher. The CVE record, finally, adds no details beyond confirmation of assignment.

For organizations using the product, the uncertainty perimeter is wide: without explicit vendor guidance on the fixed version, service presence in the installation, or workaround availability, the problem remains of independently verifying the status of their instances. The nature of the flaw — local, with a limited execution prerequisite — does not make it a priority compared to pre-authentication remote vulnerabilities, but places it in a risk category often underestimated: compromise by insider or by an attack chain initiated with another local vector.

Frequently Asked Questions

Is remote access required to exploit this vulnerability?

No. The dossier explicitly documents that the attack requires low-privilege code execution on the target machine. It is not a remote vulnerability.

Is it confirmed that the vulnerability has been actively exploited?

No. The ZDI advisory and linked sources do not document cases of exploitation in the wild.

Does a patched version of G DATA Total Security exist?

The dossier does not specify a fixed version nor confirm the availability of a patch. Verification must be performed directly with the vendor or through the product's update channels.

Information is based on the cited advisory and current as of publication.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. trendmicro.com