CVE-2026-7490

CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sun.net:ehrd_cpas::::::::
	cpe:2.3:a:sun.net:ehrd_ctms::::::::

History

12 May 2026, 13:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:sun.net:ehrd_ctms:::::::: cpe:2.3:a:sun.net:ehrd_cpas::::::::
First Time		Sun.net ehrd Cpas Sun.net Sun.net ehrd Ctms
References	~~() https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html -~~	() https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html - Third Party Advisory
References	~~() https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html -~~	() https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html - Third Party Advisory

02 May 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-02 10:16

Updated : 2026-06-17 11:02

NVD link : CVE-2026-7490

Mitre link : CVE-2026-7490

CVE.ORG link : CVE-2026-7490

JSON object : View

Products Affected

sun.net

ehrd_ctms
ehrd_cpas

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-7490", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-7490", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-05-04T14:55:59.823419Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "twcert@cert.org.tw", "affectedData": [{"vendor": "Sunnet", "product": "CTMS", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unaffected"}, {"vendor": "Sunnet", "product": "CPAS", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unaffected"}]}], "published": "2026-05-02T10:16:18.963", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10895-25ca1-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10894-1ac1f-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "lastModified": "2026-06-17T11:02:30.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sun.net:ehrd_cpas:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FE975C7-8A1A-4288-B9E1-5567E84EE5CB"}, {"criteria": "cpe:2.3:a:sun.net:ehrd_ctms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAC89180-FE38-4619-9EF6-A842758CD831"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}