Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
AnalysisAI
OS command injection in NewSoft NewSoftOA allows remote unauthenticated attackers to execute arbitrary system commands on the server. CVSS 9.3 (Critical) with network attack vector and no authentication required. The description contains a contradiction - it states 'local attackers' while CVSS vector indicates AV:N (network-accessible). Based on CVSS vector, this is remotely exploitable without authentication. No CISA KEV listing or public exploit code identified at time of analysis, but network accessibility and lack of auth barriers make this a high-priority remediation target for organizations running NewSoftOA.
Technical ContextAI
NewSoftOA is an office automation system developed by NewSoft. The vulnerability is a classic OS command injection flaw (CWE-78), where user-supplied input is passed unsanitized to system command execution functions (such as system(), exec(), popen(), or similar APIs). The CVSS 4.0 vector shows network attack surface (AV:N) with low complexity (AC:L) and no privileges required (PR:N), indicating the vulnerable endpoint is exposed to network requests without authentication. The affected product CPE (cpe:2.3:a:newsoft:newsoftoa) does not specify version constraints, suggesting potentially all versions may be vulnerable pending vendor clarification. Command injection vulnerabilities allow attackers to break out of intended command parameters and execute arbitrary operating system commands with the privileges of the web application process.
RemediationAI
Contact NewSoft Corporation immediately for patch availability and upgrade to the fixed version per vendor guidance published at Taiwan CERT advisories (https://www.twcert.org.tw/tw/cp-132-10856-4979f-1.html or https://www.twcert.org.tw/en/cp-139-10857-c46f7-2.html). No specific patched version number is confirmed in available NVD data at time of analysis - consult vendor bulletin directly. As interim mitigation if patch unavailable, restrict network access to NewSoftOA to trusted IP ranges only via firewall rules or reverse proxy ACLs, reducing attack surface from internet-wide (AV:N) to controlled networks. Implement web application firewall (WAF) rules to detect and block command injection patterns (shell metacharacters like semicolons, pipes, backticks in user input), though this is bypassable and not a substitute for patching. Disable or remove any administrative interfaces exposed to untrusted networks. Run the application with least-privilege service accounts to limit impact of successful command execution. Monitor system logs for unexpected process execution from web server parent processes. These compensating controls reduce but do not eliminate risk.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24054