| Título | Topsec Technologies Inc. TopACM V3.0 OS Command Injection |
|---|
| Descrição | A critical security vulnerability exists in the nmc_sync.php endpoint due to improper validation of user-supplied input. Since this endpoint is accessible without authentication, a remote attacker can inject arbitrary shell commands by sending a specially crafted HTTP request.
The vulnerability allows an attacker to redirect command execution results to a file within the web-accessible directory (view/systemConfig/management/), enabling a full "write-then-read" feedback loop. This bypasses typical blind injection limitations, allowing for persistent system compromise, sensitive data exfiltration, and complete control over the host server. |
|---|
| Fonte | ⚠️ https://my.feishu.cn/docx/EAFFdhzoeodDxfxeazNcxBzCnRf?from=from_copylink |
|---|
| Utilizador | 0menc (UID 75423) |
|---|
| Submissão | 02/03/2026 03h27 (há 2 meses) |
|---|
| Moderação | 14/03/2026 13h54 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 351077 [Topsec TopACM 3.0 HTTP Request nmc_sync.php template_path Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|