SMG Information Portal CVE-2025-5243
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code Injection, Upload a Web Shell to a Web Server, Code Inclusion.
This issue affects Information Portal: before 13.06.2025.
AnalysisAI
Unauthenticated remote code execution in SMG Software Information Portal versions prior to 13.06.2025 allows attackers to upload web shells and inject OS commands, achieving full server compromise with a maximum CVSS score of 10.0. The vulnerability was reported by Turkey's national CERT (USOM) and no public exploit identified at time of analysis, though the trivial attack complexity and network-accessible nature make it a critical priority for any organization running the affected product.
Technical ContextAI
SMG Software's Information Portal is a web-based content/information management platform. The vulnerability combines two CWE-78 (OS Command Injection) class root causes with an unrestricted file upload flaw: the application accepts file uploads without validating file type or extension, allowing attacker-controlled scripts (web shells) to be placed in web-accessible directories, and separately fails to neutralize special shell metacharacters in user input that is passed to OS command execution. Either primitive alone yields code execution; together they offer multiple paths to compromise. No CPE entries are published for this vendor/product in the provided data, which limits automated asset discovery.
Affected ProductsAI
SMG Software Information Portal, all versions released before 13.06.2025 (13 June 2025), is affected. No CPE identifier was published in the available intelligence and no vendor advisory URL is included in the references; the only authoritative pointers are the Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0174 and https://www.usom.gov.tr/bildirim/tr-25-0174, which should be consulted for the exact build identifier corresponding to the 13.06.2025 cutoff.
RemediationAI
Upgrade SMG Software Information Portal to the release dated 13.06.2025 or later, which is identified as the fixed build per the USOM advisory (https://www.usom.gov.tr/bildirim/tr-25-0174 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0174); contact SMG Software directly for the exact patched version string, as the vendor advisory is not linked in the available data. Until patching is possible, restrict access to the portal to trusted IP ranges via firewall or reverse-proxy ACLs (side effect: breaks legitimate remote access), disable or block the file upload endpoints at the web server layer (side effect: removes upload functionality for legitimate users), and add a WAF rule to inspect and reject requests containing shell metacharacters (;, |, &, backticks, $()) in user-controllable parameters and to block uploads of files with executable extensions such as .php, .jsp, .asp, .aspx, .sh (side effect: false positives on legitimate content containing those characters). Audit web-root directories for unknown files placed before patching, as exploitation may already have occurred.
Same weakness CWE-78 – OS Command Injection
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today