Description
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.







This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
Published: 2026-04-01
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution possible through malicious file upload leading to arbitrary file read
Action: Immediate Patch
AI Analysis

Impact

VertiGIS FM contains a local file inclusion flaw in its upload/download flow that allows authenticated users to manipulate a file's path to read any file stored on the server. Exploiting this, an attacker can obtain sensitive configuration files such as web.config, which could enable remote code execution on the underlying ASP.NET host. The vulnerability also permits the resolution of UNC paths, opening the possibility of NTLM‑relaying attacks if SMB traffic is exposed.

Affected Systems

The issue is verified against VertiGIS FM version 10.5.00119 (build 0d29d428). All installations running this version or earlier that have not applied the vendor’s fix are considered vulnerable.

Risk and Exploitability

The flaw scores a CVSS of 7.4, indicating a high severity. The EPSS score is below 1%, suggesting that widespread exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires authenticated access to the web application, the vector is the application itself; however, successful exploitation could lead to file disclosure, remote code execution, and possible lateral movement via NTLM relaying. Monitoring for unusual file upload activity and the presence of sensitive files in the webroot is recommended.

Generated by OpenCVE AI on April 7, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the VertiGIS FM security patch for version 10.5.00119 or a newer release as soon as possible.
  • If the vendor patch is unavailable, upgrade to the latest VertiGIS FM version that includes the fix.
  • Restrict file upload directories to non‑privileged locations and enforce strict path validation to prevent manipulation of the download path.
  • Disable UNC path resolution in the application configuration unless required by business processes.
  • Restrict or monitor access to web.config and other configuration files to prevent unauthorized reading or modification.
  • Review server and network logs for signs of unauthorized file reads, NTLM relaying attempts, or malicious upload behavior.

Generated by OpenCVE AI on April 7, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Vertigis fm
CPEs cpe:2.3:a:vertigis:fm:10.11.363:*:*:*:*:*:*:*
Vendors & Products Vertigis fm
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks. This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
Title Local File Inclusion in the File Upload/Download Process
First Time appeared Vertigis
Vertigis vertigis Fm
Weaknesses CWE-610
CPEs cpe:2.3:a:vertigis:vertigis_fm:*:*:*:*:*:*:*:*
Vendors & Products Vertigis
Vertigis vertigis Fm
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Vertigis Fm Vertigis Fm
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-01T13:41:23.300Z

Reserved: 2025-12-17T08:22:38.979Z

Link: CVE-2026-0522

cve-icon Vulnrichment

Updated: 2026-04-01T13:41:08.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:26.397

Modified: 2026-04-07T20:36:08.603

Link: CVE-2026-0522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:51Z

Weaknesses