Test Data Management
CVE-2026-29522
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading to information disclosure of sensitive system files.
AnalysisAI
Remote unauthenticated attackers can read arbitrary server files in ZwickRoell Test Data Management versions before 3.0.8 by exploiting a path traversal flaw in the node_upgrade_srv.js endpoint's firmware parameter. The vulnerability enables direct access to sensitive system files including credentials, configuration data, and source code without authentication. Despite the high CVSS score (8.7), the low EPSS probability (0.06%, 17th percentile) indicates minimal automated exploitation activity, though the unauthenticated network attack vector and low complexity make this readily exploitable if discovered by adversaries targeting industrial testing infrastructure.
Technical ContextAI
This local file inclusion vulnerability affects the /server/node_upgrade_srv.js endpoint in ZwickRoell's Test Data Management software, which manages test results and data from materials testing machines. The flaw stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where user-supplied input to the 'firmware' parameter lacks proper validation to prevent directory traversal sequences like '../'. The Node.js-based server endpoint processes these malicious paths without canonicalization or sandboxing, allowing an attacker to escape intended directories and access any file readable by the application's process permissions. The affected CPE (cpe:2.3:a:zwickroell_gmbh_&_co._kg:test_data_management) indicates this is a proprietary industrial software component, likely deployed in manufacturing and materials science laboratories where confidentiality of test data and intellectual property is critical.
RemediationAI
Upgrade ZwickRoell Test Data Management to version 3.0.8 or later, which addresses the path traversal vulnerability according to the CVE scope statement. Organizations should verify the installed version and contact ZwickRoell support channels for patch distribution mechanisms, as the vendor's standard software page does not provide direct download links. Until patching is complete, implement network segmentation to restrict access to the /server/node_upgrade_srv.js endpoint exclusively from trusted management networks-block external and general corporate network access using firewall rules or reverse proxy ACLs targeting this specific URI path. Deploy web application firewall rules to detect and block directory traversal patterns (../, ..\, URL-encoded variants) in the firmware parameter, though this is a compensating control that may be bypassed and should not replace patching. Monitor web server access logs for requests to node_upgrade_srv.js containing traversal sequences as an indicator of exploitation attempts. If the node upgrade functionality is not operationally required, disable the endpoint entirely by removing or renaming the node_upgrade_srv.js file, though this may impact legitimate firmware update capabilities and should be coordinated with operational requirements.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today