Skip to main content

Test Data Management CVE-2026-29522

HIGH
Path Traversal (CWE-22)
2026-03-16 VulnCheck
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 01, 2026 - 15:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 01, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
May 01, 2026 - 15:37 NVD
8.7 (HIGH)
Analysis Generated
Mar 16, 2026 - 20:56 vuln.today
CVE Published
Mar 16, 2026 - 20:46 nvd
N/A

DescriptionCVE.org

ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading to information disclosure of sensitive system files.

AnalysisAI

Remote unauthenticated attackers can read arbitrary server files in ZwickRoell Test Data Management versions before 3.0.8 by exploiting a path traversal flaw in the node_upgrade_srv.js endpoint's firmware parameter. The vulnerability enables direct access to sensitive system files including credentials, configuration data, and source code without authentication. Despite the high CVSS score (8.7), the low EPSS probability (0.06%, 17th percentile) indicates minimal automated exploitation activity, though the unauthenticated network attack vector and low complexity make this readily exploitable if discovered by adversaries targeting industrial testing infrastructure.

Technical ContextAI

This local file inclusion vulnerability affects the /server/node_upgrade_srv.js endpoint in ZwickRoell's Test Data Management software, which manages test results and data from materials testing machines. The flaw stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where user-supplied input to the 'firmware' parameter lacks proper validation to prevent directory traversal sequences like '../'. The Node.js-based server endpoint processes these malicious paths without canonicalization or sandboxing, allowing an attacker to escape intended directories and access any file readable by the application's process permissions. The affected CPE (cpe:2.3:a:zwickroell_gmbh_&_co._kg:test_data_management) indicates this is a proprietary industrial software component, likely deployed in manufacturing and materials science laboratories where confidentiality of test data and intellectual property is critical.

RemediationAI

Upgrade ZwickRoell Test Data Management to version 3.0.8 or later, which addresses the path traversal vulnerability according to the CVE scope statement. Organizations should verify the installed version and contact ZwickRoell support channels for patch distribution mechanisms, as the vendor's standard software page does not provide direct download links. Until patching is complete, implement network segmentation to restrict access to the /server/node_upgrade_srv.js endpoint exclusively from trusted management networks-block external and general corporate network access using firewall rules or reverse proxy ACLs targeting this specific URI path. Deploy web application firewall rules to detect and block directory traversal patterns (../, ..\, URL-encoded variants) in the firmware parameter, though this is a compensating control that may be bypassed and should not replace patching. Monitor web server access logs for requests to node_upgrade_srv.js containing traversal sequences as an indicator of exploitation attempts. If the node upgrade functionality is not operationally required, disable the endpoint entirely by removing or renaming the node_upgrade_srv.js file, though this may impact legitimate firmware update capabilities and should be coordinated with operational requirements.

Share

CVE-2026-29522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy