CVE-2026-2627 is a vulnerability identified in Softland FBackup software versions 9.0 through 9.9, specifically within a component responsible for backup and restore operations. The flaw is rooted in an unsafe link following behavior in the HID.dll library located at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. This library is part of the Microsoft shared ink components but is utilized by FBackup in its backup/restore functionality. The vulnerability allows an attacker with local access and low privileges (PR:L) to manipulate symbolic or hard links, potentially redirecting backup or restore operations to unintended locations. This can lead to unauthorized access, modification, or deletion of backup data, impacting confidentiality, integrity, and availability. The attack vector requires no user interaction and no elevated privileges beyond local access, making it easier to exploit in environments where local access is possible. The vendor was notified early but has not issued any patches or advisories, and the exploit code has been publicly released, increasing the risk of exploitation. The CVSS v4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no user interaction required. No known exploits in the wild have been reported yet, but the public availability of exploit code necessitates urgent attention from affected users. The vulnerability does not involve network attack vectors, limiting remote exploitation but posing a significant risk in multi-user or shared environments where local access can be gained.

The vulnerability poses a significant risk to organizations relying on Softland FBackup for critical backup and restore operations. Exploitation can lead to unauthorized disclosure, modification, or destruction of backup data, undermining data integrity and availability. This can result in data loss, disruption of business continuity, and potential exposure of sensitive information. Since backups are often the last line of defense against ransomware and data corruption, compromising backup integrity can severely impact incident recovery efforts. The local attack requirement limits remote exploitation but does not eliminate risk in environments with multiple users, shared workstations, or where attackers can gain local access through other means (e.g., phishing, insider threats). The lack of vendor response and absence of patches increases the window of exposure. Organizations may face compliance and regulatory risks if backup data confidentiality or integrity is compromised. Overall, the vulnerability threatens the reliability of backup processes, which are critical for organizational resilience.

Given the absence of official patches, organizations should implement immediate compensating controls. These include restricting local access to systems running Softland FBackup to trusted personnel only, enforcing strict access controls and user permissions to limit who can execute or modify backup operations. Employ application whitelisting and endpoint protection solutions to detect and prevent exploitation attempts involving link manipulation. Regularly audit and monitor backup directories and related file system objects for unauthorized symbolic or hard links. Consider isolating backup servers or workstations from general user environments to reduce local attack surface. If feasible, temporarily discontinue use of affected FBackup versions and migrate to alternative backup solutions until a patch is available. Maintain offline and immutable backup copies to ensure recovery capability in case of compromise. Additionally, monitor security forums and vendor channels for updates or patches addressing this vulnerability. Implementing strong physical security controls and endpoint detection and response (EDR) tools can further reduce risk.