CVE-2026-2123 is a privilege escalation vulnerability affecting OpenText Operations Agent versions up to 12.29 on Windows platforms. The root cause is improper handling of insufficient permissions or privileges (CWE-280), where the agent may execute arbitrary executables located in specific writable directories. Under certain conditions, a low-privileged user can place a malicious executable in these directories, which the Operations Agent then runs with elevated privileges. This behavior stems from inadequate validation of executable paths and permissions, allowing privilege escalation from a low-privileged context to higher system privileges. The vulnerability was discovered during a security audit and responsibly reported by security researchers Manuel Rickli and Philippe Leiser from Oneconsult AG. The CVSS 4.0 base score is 8.6, reflecting a high severity with significant impacts on confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and no authentication (AT:N), but some user interaction (UI:P) is necessary. The vulnerability affects version 12.22 and earlier, with no patches publicly available at the time of disclosure. While no known exploits are currently in the wild, the potential for misuse in enterprise environments is considerable due to the elevated privileges the Operations Agent holds and its widespread use in IT operations management.

The vulnerability allows an attacker with low-level access to escalate privileges on affected Windows systems running OpenText Operations Agent. This can lead to unauthorized execution of code with elevated privileges, potentially compromising system integrity, confidentiality, and availability. Attackers could leverage this to install persistent malware, manipulate system configurations, or disrupt operations. Given the agent’s role in managing enterprise IT infrastructure, exploitation could facilitate lateral movement within networks, data exfiltration, or disruption of critical services. The impact is particularly severe in environments where the Operations Agent is deployed on servers or endpoints that handle sensitive data or critical business functions. Organizations may face operational downtime, data breaches, or compliance violations if exploited. The absence of known exploits currently reduces immediate risk, but the high CVSS score and nature of the vulnerability indicate a strong likelihood of future exploitation attempts.

Organizations should immediately audit and restrict write permissions on directories accessible by the OpenText Operations Agent to prevent unauthorized placement of executables. Implement strict access controls and monitor these directories for suspicious files. Until an official patch is released, consider temporarily disabling or limiting the Operations Agent’s functionality on critical systems if feasible. Employ application whitelisting to prevent execution of unauthorized binaries. Regularly review and update endpoint protection and intrusion detection systems to detect anomalous behaviors related to the Operations Agent. Engage with OpenText support to obtain patches or workarounds as soon as they become available. Conduct thorough security awareness training to reduce risky user interactions that could facilitate exploitation. Additionally, implement robust logging and alerting to detect potential privilege escalation attempts leveraging this vulnerability.