Description
The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0.
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via File Upload
Action: Apply Patch
AI Analysis

Impact

A file upload flaw in the Terrapack software suite allows an attacker to upload code that the system will execute with the privileges of the web server. The vulnerability is categorized as an untrusted file upload (CWE-434). An attacker who can send a malicious file to the affected components can run arbitrary commands, potentially compromising confidentiality, integrity, and availability of the host.

Affected Systems

The flaw exists in ASTER TEC’s Terrapack package. Affected components and versions are: Terrapack TkWebCoreNG 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0. These are delivered by ASTER S.p.A.

Risk and Exploitability

The issue receives a CVSS score of 8.8, indicating high severity, but an EPSS of less than 1% suggests it is currently rarely exploited. It is not listed in the CISA KEV catalog. The most likely attack vector is a remote exploit, where an attacker submits a malicious file through a publicly exposed upload endpoint. Successful exploitation would grant remote code execution privileges.

Generated by OpenCVE AI on March 23, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact ASTER S.p.A. for an updated version of the affected Terrapack components that removes the upload flaw.
  • If an update is not immediately available, restrict the upload functionality by disabling or removing the upload endpoint, or confining uploads to a directory with no execution permissions.
  • Apply network segmentation or firewall rules to block external access to the upload service until a patch is deployed.
  • Monitor the web server and file upload logs for signs of unauthorized upload activity, and review system integrity and security controls regularly.

Generated by OpenCVE AI on March 23, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Aster
Aster tkservercgi
Aster tkwebcoreng
Aster tpkwebgis Client
Vendors & Products Aster
Aster tkservercgi
Aster tkwebcoreng
Aster tpkwebgis Client

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0.
References

Subscriptions

Aster Tkservercgi Tkwebcoreng Tpkwebgis Client
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T13:57:45.455Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67260

cve-icon Vulnrichment

Updated: 2026-03-23T13:56:59.084Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T16:16:16.490

Modified: 2026-03-24T15:54:09.400

Link: CVE-2025-67260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:19Z

Weaknesses