Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
AnalysisAI
Arbitrary file upload in Sunnet CTMS and CPAS allows authenticated remote attackers with high privileges to upload and execute web shell backdoors, achieving full server compromise. The vulnerability enables complete control over affected systems via malicious file execution, with critical impact to confidentiality, integrity, and availability. Despite requiring high-privilege access (PR:H), the network-accessible attack vector and low complexity (AV:N/AC:L) make this exploitable by any authenticated administrator or privileged user, representing significant risk in environments where such credentials are compromised or where insider threats exist.
Technical ContextAI
This vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic web application security flaw where insufficient validation of uploaded file content, extensions, or MIME types allows attackers to bypass security controls. Sunnet CTMS (likely a content or case management system) and CPAS (case/project administration system) both fail to properly validate uploaded files before storing and potentially executing them on the server. The CVSS 4.0 vector confirms network accessibility with low attack complexity and no additional attack requirements, meaning the only barrier is obtaining high-privilege credentials. Once authenticated with administrative rights, attackers can leverage file upload functionality - likely intended for legitimate document management - to instead upload executable web shells (PHP, JSP, ASPX, or similar server-side scripts depending on the underlying technology stack). These backdoors then execute within the application server's context, granting the attacker complete system-level control.
RemediationAI
Consult the official TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html (Traditional Chinese) or https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html (English) for vendor-supplied patches and exact fixed versions - patch availability and version numbers are not confirmed in the provided intelligence data. Until patches are applied, implement these compensating controls with understanding of their limitations: Restrict file upload functionality to only highly trusted administrators via application-level access controls, recognizing this reduces usability for legitimate workflows. Implement strict server-side file type validation using both extension whitelisting (e.g., only .pdf, .docx) and content inspection (magic number verification), though determined attackers may bypass poorly implemented filters. Configure web server to prevent execution of scripts in upload directories via .htaccess rules (Apache) or web.config settings (IIS), though this may break legitimate application functionality if uploads are served from the same directory tree. Deploy web application firewall (WAF) rules to detect common web shell patterns in uploaded content, accepting risk of false positives blocking legitimate files containing code samples. Monitor file upload directories for unexpected executable extensions and establish baseline of normal upload activity to detect anomalies. Most critically, audit and minimize the number of accounts with high-privilege access and enforce multi-factor authentication for all administrative accounts to reduce credential compromise risk.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26770