Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory describes unauthenticated network-reachable upload yielding code inclusion with no user interaction, so AV:N/AC:L/PR:N/UI:N and full C/I/A:H on the same appliance.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Unrestricted upload of file with dangerous type vulnerability in Limatek System Inc. LimRAD NAC allows Remote Code Inclusion.
This issue affects LimRAD NAC: before 5.5.7.3.9.
AnalysisAI
Remote code execution in Limatek System Inc. LimRAD NAC versions prior to 5.5.7.3.9 allows unauthenticated remote attackers to upload dangerous file types and achieve Remote Code Inclusion. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects an internet-reachable, no-interaction exploitation path against a network access control appliance, though no public exploit identified at time of analysis. The vulnerability was disclosed by TR-CERT and tracked in Turkish national vulnerability advisory TR-26-0366.
Technical ContextAI
LimRAD NAC is a Network Access Control product from Turkish vendor Limatek System Inc., typically deployed at the network edge to enforce device admission policies. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the upload handler does not validate file extension, MIME type, or content against an allowlist before storing or processing the file. The CPE string cpe:2.3:a:limatek_system_inc.:limrad_nac:*:*:*:*:*:*:*:* covers all versions of the product up to the fixed release. Because the advisory describes the outcome as 'Remote Code Inclusion', the uploaded file is rendered or included by a server-side interpreter (e.g., a web language runtime hosting the management UI), turning an upload primitive into arbitrary code execution within the appliance.
RemediationAI
Vendor-released patch: upgrade LimRAD NAC to version 5.5.7.3.9 or later, which is the fixed release identified in the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0366. Until the upgrade can be staged, restrict reachability of the LimRAD NAC management and any file-upload endpoints to a dedicated administrative VLAN or jump host (trade-off: legitimate remote administration must move through that path), and place a reverse proxy or WAF rule in front of the appliance that blocks multipart/form-data POSTs containing executable extensions such as .php, .jsp, .asp, .aspx, or double-extension uploads (trade-off: may break legitimate file imports if the appliance accepts those for policy uploads). Monitor the appliance's webroot and upload directory for unexpected newly written files and review web server access logs for POSTs to upload handlers from non-administrative source IPs.
More in Limrad Nac
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36237
GHSA-3746-gq88-gwxx