Skip to main content

SMG Information Portal CVE-2025-5243

CRITICAL
OS Command Injection (CWE-78)
2025-07-24 iletisim@usom.gov.tr
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:31 vuln.today

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code Injection, Upload a Web Shell to a Web Server, Code Inclusion.

This issue affects Information Portal: before 13.06.2025.

AnalysisAI

Unauthenticated remote code execution in SMG Software Information Portal versions prior to 13.06.2025 allows attackers to upload web shells and inject OS commands, achieving full server compromise with a maximum CVSS score of 10.0. The vulnerability was reported by Turkey's national CERT (USOM) and no public exploit identified at time of analysis, though the trivial attack complexity and network-accessible nature make it a critical priority for any organization running the affected product.

Technical ContextAI

SMG Software's Information Portal is a web-based content/information management platform. The vulnerability combines two CWE-78 (OS Command Injection) class root causes with an unrestricted file upload flaw: the application accepts file uploads without validating file type or extension, allowing attacker-controlled scripts (web shells) to be placed in web-accessible directories, and separately fails to neutralize special shell metacharacters in user input that is passed to OS command execution. Either primitive alone yields code execution; together they offer multiple paths to compromise. No CPE entries are published for this vendor/product in the provided data, which limits automated asset discovery.

Affected ProductsAI

SMG Software Information Portal, all versions released before 13.06.2025 (13 June 2025), is affected. No CPE identifier was published in the available intelligence and no vendor advisory URL is included in the references; the only authoritative pointers are the Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0174 and https://www.usom.gov.tr/bildirim/tr-25-0174, which should be consulted for the exact build identifier corresponding to the 13.06.2025 cutoff.

RemediationAI

Upgrade SMG Software Information Portal to the release dated 13.06.2025 or later, which is identified as the fixed build per the USOM advisory (https://www.usom.gov.tr/bildirim/tr-25-0174 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0174); contact SMG Software directly for the exact patched version string, as the vendor advisory is not linked in the available data. Until patching is possible, restrict access to the portal to trusted IP ranges via firewall or reverse-proxy ACLs (side effect: breaks legitimate remote access), disable or block the file upload endpoints at the web server layer (side effect: removes upload functionality for legitimate users), and add a WAF rule to inspect and reject requests containing shell metacharacters (;, |, &, backticks, $()) in user-controllable parameters and to block uploads of files with executable extensions such as .php, .jsp, .asp, .aspx, .sh (side effect: false positives on legitimate content containing those characters). Audit web-root directories for unknown files placed before patching, as exploitation may already have occurred.

Share

CVE-2025-5243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy