CVE-2026-0522

A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks. This issue affects VertiGIS FM: 10.5.00119 (0d29d428).

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM	Vendor Advisory
https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/	Third Party Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:vertigis:fm:10.11.363:*:*:*:*:*:*:*

History

07 Apr 2026, 20:36

Type	Values Removed	Values Added
References	~~() https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM -~~	() https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM - Vendor Advisory
References	~~() https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/ -~~	() https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/ - Third Party Advisory, Exploit
CPE		cpe:2.3:a:vertigis:fm:10.11.363:::::::*
First Time		Vertigis fm Vertigis
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

01 Apr 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 14:16

Updated : 2026-04-07 20:36

NVD link : CVE-2026-0522

Mitre link : CVE-2026-0522

CVE.ORG link : CVE-2026-0522

JSON object : View

Products Affected

vertigis

fm

CWE

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

{"id": "CVE-2026-0522", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-01T14:16:26.397", "references": [{"url": "https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM", "tags": ["Vendor Advisory"], "source": "vulnerability@ncsc.ch"}, {"url": "https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/", "tags": ["Third Party Advisory", "Exploit"], "source": "vulnerability@ncsc.ch"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "description": [{"lang": "en", "value": "CWE-610"}]}], "descriptions": [{"lang": "en", "value": "A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the \"web.config\" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.\n\n\n\n\n\n\n\nThis issue affects VertiGIS FM: 10.5.00119 (0d29d428)."}], "lastModified": "2026-04-07T20:36:08.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vertigis:fm:10.11.363:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73FCA741-5F96-4AC3-986B-CB6DA8489664"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerability@ncsc.ch"}