A critical unrestricted file upload vulnerability in Echo Call Center Services' Specto CM allows remote attackers to execute arbitrary code on the underlying server.

The application allows users to upload files without adequate validation of file types or extensions. An unauthenticated attacker can upload a malicious script, which can then be triggered to achieve Remote Code Inclusion (RCI) and full server compromise.

The CVSS score of 8.8 underscores the gravity of this vulnerability. Successful exploitation permits attackers to gain persistent access to the server, extract sensitive customer or call center data, and potentially pivot into the internal network, causing significant reputational and operational damage.

Immediate Action: Update Specto CM to version 17032025 to implement necessary file upload restrictions.

Proactive Monitoring: Scan web directories for unexpected executable files or scripts uploaded by users and analyze server logs for suspicious HTTP POST requests.

Compensating Controls: Configure the web server to prevent the execution of scripts in upload directories and implement strict file extension filtering at the WAF level.

Public Exploit Available: true

Unrestricted file uploads are a frequent target for attackers seeking initial access. Organizations must update to version 17032025 immediately to close this critical security gap and prevent unauthorized code execution.