Skip to main content

Vertigis Fm CVE-2026-0522

| EUVDEUVD-2026-17877 HIGH
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
2026-04-01 NCSC.ch
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.11.363
EUVD ID Assigned
Apr 01, 2026 - 13:30 euvd
EUVD-2026-17877
Analysis Generated
Apr 01, 2026 - 13:30 vuln.today
CVE Published
Apr 01, 2026 - 13:11 nvd
HIGH 7.4

DescriptionCVE.org

A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.

This issue affects VertiGIS FM: 10.5.00119 (0d29d428).

AnalysisAI

Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.

Technical ContextAI

VertiGIS FM is an ASP.NET-based web application that handles file upload and download operations. The vulnerability stems from improper path validation during the upload/download flow (CWE-610: Externally Controlled Reference to a Resource in Another Sphere). Attackers with valid credentials can manipulate file path parameters during upload to reference arbitrary locations on the server's filesystem. When the file is subsequently downloaded, the application returns the file at the attacker-specified path rather than the legitimate upload location. Because VertiGIS FM runs on ASP.NET, obtaining sensitive configuration files like web.config-which contains database credentials, encryption keys, and other sensitive settings-could enable code execution through config-based attacks. Additionally, the application's resolution of UNC (Universal Naming Convention) paths creates a secondary attack vector for NTLM-relay attacks, where an attacker can coerce the server into authenticating to an attacker-controlled network resource, potentially leading to credential theft or lateral movement.

RemediationAI

Organizations should immediately apply the security patch released by VertiGIS as documented in the official advisory at https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM. The advisory will specify the patched version number and upgrade procedure. As an interim mitigation, restrict access to the VertiGIS FM application to only users who require it, enforce strong authentication policies, monitor file upload/download activity for suspicious path manipulation attempts (such as path traversal sequences like ../ or UNC paths), and review web.config access logs for unauthorized reads. Additionally, implement network-level controls to prevent NTLM-relay attacks by disabling NTLM where possible and enforcing SMB signing on internal network resources. Do not delay patching, as this vulnerability combines authentication bypass potential with RCE.

Share

CVE-2026-0522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy