Description
A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the HTTP request handler of Topsec's TopACM 3.0 allows an attacker to inject arbitrary operating‑system commands via the template_path parameter in nmc_sync.php. This leads to remote code execution on the affected server. The vulnerability corresponds to CWE‑77 and CWE‑78 and can compromise confidentiality, integrity, and availability of the system.

Affected Systems

The issue affects the Topsec TopACM product, version 3.0, specifically the file /view/systemConfig/management/nmc_sync.php within the HTTP Request Handler component. No other versions are listed, so all installations of TopACM 3.0 that expose this endpoint should be considered vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 9.3 indicates critical severity, while the EPSS score of less than 1% suggests current exploitation probability is low. The exploit is publicly available, and the attack can be performed remotely, though the description does not specify whether authentication is required, so the relevance of credential or administrative access remains uncertain. The vulnerability is not included in the CISA KEV catalog. Given the high severity and public availability, the risk is significant for any system exposing nmc_sync.php to external traffic.

Generated by OpenCVE AI on March 21, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain an official patch or upgrade from Topsec for TopACM 3.0 that fixes the command injection flaw.
  • If a patch is not yet available, restrict access to /view/systemConfig/management/nmc_sync.php to trusted networks or disable the endpoint entirely.
  • Implement input validation for the template_path parameter to reject shell metacharacters or enforce a whitelist of allowed values.
  • Deploy a web‑application firewall rule that blocks requests containing command‑execution patterns.
  • Monitor web server logs for anomalous requests targeting nmc_sync.php and investigate any suspicious activity promptly.

Generated by OpenCVE AI on March 21, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Topsec
Topsec topacm
Vendors & Products Topsec
Topsec topacm

Sun, 15 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Topsec TopACM HTTP Request nmc_sync.php os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Topsec Topacm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T15:41:29.413Z

Reserved: 2026-03-14T12:54:26.928Z

Link: CVE-2026-4170

cve-icon Vulnrichment

Updated: 2026-03-16T15:41:26.074Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:19:56.880

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-4170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:58Z

Weaknesses