CVE-2025-6076

Vulnerability

Overview

CVE-2025-6076 describes a missing file sanitization vulnerability in Partner Software's Partner Software and Partner Web applications. The product fails to validate files uploaded through the "Reports" tab, allowing any file type or extension to be accepted without restriction [1][2]. This includes executable files that can then be served or executed on the server.

Attack

Vector

An attacker must first be authenticated to the application. The default administrator credentials (CVE-2025-6077) can be used to gain initial access if unchanged [1][2]. Once authenticated, the attacker can upload a malicious file (e.g., a web shell) via the reports upload functionality. The file is stored on the server and can be directly accessed, leading to code execution.

Impact

Due to the application running with SYSTEM privileges by default, successful exploitation grants the attacker full control over the affected device [1][2]. This allows arbitrary code execution, data exfiltration, or further compromise of the network.

Mitigation

Status

No official patch has been announced at this time. Users are advised to change default credentials immediately and restrict file upload capabilities if possible [1][2]. The CERT/CC vulnerability note also recommends implementing input sanitization and file type validation.