Skip to main content

Sunnet CTMS/CPAS CVE-2026-7490

| EUVDEUVD-2026-26770 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-02 twcert
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 02, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 02, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 02, 2026 - 10:22 NVD
7.2 (HIGH) 8.6 (HIGH)
Analysis Generated
May 02, 2026 - 10:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 09:30 euvd
EUVD-2026-26770
Analysis Generated
May 02, 2026 - 09:30 vuln.today
CVE Published
May 02, 2026 - 09:06 nvd
HIGH 8.6

DescriptionCVE.org

CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

AnalysisAI

Arbitrary file upload in Sunnet CTMS and CPAS allows authenticated remote attackers with high privileges to upload and execute web shell backdoors, achieving full server compromise. The vulnerability enables complete control over affected systems via malicious file execution, with critical impact to confidentiality, integrity, and availability. Despite requiring high-privilege access (PR:H), the network-accessible attack vector and low complexity (AV:N/AC:L) make this exploitable by any authenticated administrator or privileged user, representing significant risk in environments where such credentials are compromised or where insider threats exist.

Technical ContextAI

This vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic web application security flaw where insufficient validation of uploaded file content, extensions, or MIME types allows attackers to bypass security controls. Sunnet CTMS (likely a content or case management system) and CPAS (case/project administration system) both fail to properly validate uploaded files before storing and potentially executing them on the server. The CVSS 4.0 vector confirms network accessibility with low attack complexity and no additional attack requirements, meaning the only barrier is obtaining high-privilege credentials. Once authenticated with administrative rights, attackers can leverage file upload functionality - likely intended for legitimate document management - to instead upload executable web shells (PHP, JSP, ASPX, or similar server-side scripts depending on the underlying technology stack). These backdoors then execute within the application server's context, granting the attacker complete system-level control.

RemediationAI

Consult the official TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html (Traditional Chinese) or https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html (English) for vendor-supplied patches and exact fixed versions - patch availability and version numbers are not confirmed in the provided intelligence data. Until patches are applied, implement these compensating controls with understanding of their limitations: Restrict file upload functionality to only highly trusted administrators via application-level access controls, recognizing this reduces usability for legitimate workflows. Implement strict server-side file type validation using both extension whitelisting (e.g., only .pdf, .docx) and content inspection (magic number verification), though determined attackers may bypass poorly implemented filters. Configure web server to prevent execution of scripts in upload directories via .htaccess rules (Apache) or web.config settings (IIS), though this may break legitimate application functionality if uploads are served from the same directory tree. Deploy web application firewall (WAF) rules to detect common web shell patterns in uploaded content, accepting risk of false positives blocking legitimate files containing code samples. Monitor file upload directories for unexpected executable extensions and establish baseline of normal upload activity to detect anomalies. Most critically, audit and minimize the number of accounts with high-privilege access and enforce multi-factor authentication for all administrative accounts to reduce credential compromise risk.

Share

CVE-2026-7490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy