CVE-2026-0522

HighPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file…

in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks. This issue affects VertiGIS FM: 10.5.00119 (0d29d428).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the local file inclusion vulnerability by requiring validation of manipulated file path inputs during upload and download flows.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in VertiGIS FM version 10.5.00119 upload/download mechanism to prevent arbitrary file reads.

AC-3 Access Enforcement partial match

prevent

Enforces access controls to block unauthorized reads from attacker-controlled paths, including web.config and UNC paths.

Security SummaryAI

CVE-2026-0522 is a local file inclusion vulnerability (CWE-610) in the upload/download flow of the VertiGIS FM application, specifically affecting version 10.5.00119 (0d29d428). Authenticated attackers can manipulate a file's path during upload, causing the application to store or reference arbitrary server files. When the manipulated file is subsequently downloaded, the contents of the attacker-controlled path are returned instead.

Attackers require low privileges (PR:L) and network access (AV:N) with low complexity (AC:L) to exploit this issue, earning a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Successful exploitation enables reading of arbitrary files, and due to the ASP.NET architecture, obtaining the web.config file could facilitate remote code execution. Additionally, the application's handling of UNC paths may allow NTLM-relaying attacks.

Advisories from VertiGIS and Redguard Security provide further details on mitigation: https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM and https://www.redguard.ch/blog/2026/04/01/advisory-vertigisfm/.

Details

CWE(s): CWE-610

Affected Products

vertigis

10.11.363

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1557.001 Name Resolution Poisoning and SMB Relay Credential Access

By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.

attack.mitre.org →

Why these techniques?

T1190: Direct exploitation of public-facing web application vulnerability. T1005: Enables arbitrary file reads from the local system. T1557.001: UNC path handling facilitates NTLM-relay attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM
Vendor Advisory · vulnerability@ncsc.ch
https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/
Third Party Advisory, Exploit · vulnerability@ncsc.ch