| Title | Topsec Technologies Inc. TopACM V3.0 OS Command Injection |
|---|
| Description | A critical security vulnerability exists in the nmc_sync.php endpoint due to improper validation of user-supplied input. Since this endpoint is accessible without authentication, a remote attacker can inject arbitrary shell commands by sending a specially crafted HTTP request.
The vulnerability allows an attacker to redirect command execution results to a file within the web-accessible directory (view/systemConfig/management/), enabling a full "write-then-read" feedback loop. This bypasses typical blind injection limitations, allowing for persistent system compromise, sensitive data exfiltration, and complete control over the host server. |
|---|
| Source | ⚠️ https://my.feishu.cn/docx/EAFFdhzoeodDxfxeazNcxBzCnRf?from=from_copylink |
|---|
| User | 0menc (UID 75423) |
|---|
| Submission | 03/02/2026 03:27 (1 month ago) |
|---|
| Moderation | 03/14/2026 13:54 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 351077 [Topsec TopACM 3.0 HTTP Request nmc_sync.php template_path os command injection] |
|---|
| Points | 20 |
|---|