CVE-2026-0522 Overview
A local file inclusion (LFI) vulnerability exists in the upload/download flow of the VertiGIS FM application that allows authenticated attackers to read arbitrary files from the server. By manipulating a file's path during the upload process, attackers can specify arbitrary file paths that are then returned when the file is subsequently downloaded. This vulnerability is classified under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere).
The impact is particularly severe due to the application's ASP.NET architecture. An attacker who successfully exploits this vulnerability could obtain the web.config file, which often contains sensitive configuration data including database connection strings, encryption keys, and other secrets. This information disclosure could potentially escalate to remote code execution. Additionally, the application resolves UNC paths, which creates an opportunity for NTLM-relaying attacks that could be leveraged for lateral movement or credential theft within the network.
Critical Impact
Authenticated attackers can read arbitrary server files including sensitive configuration files like web.config, potentially leading to remote code execution and enabling NTLM-relaying attacks through UNC path resolution.
Affected Products
- VertiGIS FM version 10.5.00119 (build 0d29d428)
Discovery Timeline
- April 1, 2026 - CVE-2026-0522 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-0522
Vulnerability Analysis
This local file inclusion vulnerability exploits weaknesses in the file upload and download workflow of the VertiGIS FM application. The application fails to properly validate and sanitize file path inputs during the upload process, allowing authenticated users to inject path traversal sequences or arbitrary file paths.
When an attacker uploads a file with a manipulated path parameter, the application stores this malicious path reference. Subsequently, when the file download functionality is invoked, the application uses the attacker-controlled path to retrieve the file, resulting in the disclosure of arbitrary files from the server filesystem.
The vulnerability is particularly dangerous in the context of ASP.NET applications because the web.config file typically contains critical security information such as machine keys, connection strings with database credentials, authentication configurations, and custom encryption keys. Exposure of machine keys, for instance, can enable ViewState deserialization attacks leading to remote code execution.
Furthermore, the application's handling of UNC paths introduces an additional attack surface. When a UNC path (e.g., \\attacker-server\share\file) is processed, the server initiates an SMB connection to the specified host, transmitting NTLM authentication hashes. These hashes can be captured and relayed to other services for authentication, enabling NTLM-relay attacks.
Root Cause
The root cause of this vulnerability is improper input validation and lack of path canonicalization in the file upload/download mechanism. The application does not adequately sanitize user-supplied file path parameters, failing to prevent directory traversal sequences (such as ../) or absolute paths from being stored and later retrieved. Additionally, the application does not restrict or filter UNC path formats, allowing external network resource references.
Attack Vector
The attack requires authenticated access to the VertiGIS FM application and follows a two-stage process:
Upload Phase: The attacker uses the file upload functionality and manipulates the file path parameter to point to a target file on the server filesystem, such as ../../../web.config or an absolute path like C:\inetpub\wwwroot\VertiGIS\web.config.
Download Phase: The attacker then requests to download the previously "uploaded" file. The application resolves the manipulated path and returns the contents of the target file instead of a legitimately uploaded file.
For NTLM-relay attacks, the attacker specifies a UNC path pointing to an attacker-controlled server during the upload process. When the server processes this path, it initiates an SMB connection to the attacker's server, leaking NTLM credentials.
The attack is network-accessible, requires low privileges (authenticated user), and can be executed without user interaction, making it relatively straightforward to exploit once authentication is obtained.
Detection Methods for CVE-2026-0522
Indicators of Compromise
- Unusual file access patterns in web application logs showing requests for configuration files like web.config, appsettings.json, or system files
- File download requests containing path traversal sequences (../, ..\) in URL parameters or request bodies
- Outbound SMB connections (port 445) from the web server to external or unexpected internal hosts
- Log entries showing file operations targeting paths outside the expected upload directory structure
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in file operation requests
- Monitor file system access events on the VertiGIS FM server for access to sensitive configuration files by the IIS worker process
- Configure network monitoring to alert on outbound SMB traffic originating from web servers
- Deploy endpoint detection and response (EDR) solutions to identify anomalous file access behaviors
Monitoring Recommendations
- Enable detailed logging for the VertiGIS FM application, particularly for file upload and download operations
- Implement Security Information and Event Management (SIEM) rules to correlate file access anomalies with user sessions
- Monitor for NTLM authentication events that may indicate relay attack attempts
- Establish baseline file access patterns and alert on deviations indicating potential exploitation
How to Mitigate CVE-2026-0522
Immediate Actions Required
- Review and restrict user access to the VertiGIS FM application, limiting authenticated access to only essential personnel
- Implement network segmentation to prevent the web server from initiating outbound SMB connections
- Apply web application firewall rules to block requests containing path traversal patterns
- Audit recent file access logs for signs of exploitation and investigate any anomalies
Patch Information
VertiGIS has released security guidance for this vulnerability. Administrators should consult the VertiGIS Security Vulnerability Advisory for official patch information and remediation instructions. Additional technical details are available in the RedGuard Blog Advisory Post.
Workarounds
- Disable or restrict access to the file upload/download functionality until a patch can be applied
- Configure Windows Firewall on the web server to block outbound SMB traffic (TCP port 445) to prevent NTLM-relay attacks
- Implement strict file path validation at the application or web server level using URL rewrite rules
- Consider placing the VertiGIS FM application behind additional authentication layers to limit exposure
# Block outbound SMB traffic from web server using Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=TCP localport=445
netsh advfirewall firewall add rule name="Block Outbound SMB UDP" dir=out action=block protocol=UDP localport=445
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
