A critical vulnerability, identified as CVE-2025-9846, has been discovered in TalentSys Consulting's Inka.Net software. This flaw allows an unauthenticated attacker to upload a malicious file, which can then be used to execute arbitrary commands and completely take over the affected server. Due to its maximum severity rating (CVSS 10), immediate patching is required to prevent potential data theft, system compromise, and significant business disruption.

The vulnerability is an "Unrestricted Upload of File with Dangerous Type," which leads to remote command injection. The application fails to properly validate the types of files being uploaded, allowing an attacker to upload a web shell (e.g., a .php, .jsp, or .aspx file) disguised as a benign file. Once the malicious file is on the server, the attacker can access it via a URL, causing the server to execute the code within the file. This provides the attacker with the ability to run arbitrary system commands with the privileges of the web server's user account, leading to a full system compromise.

This vulnerability is of critical severity with a CVSS score of 10, indicating the highest possible risk. A successful exploit would grant an attacker complete control over the affected server, leading to a total loss of confidentiality, integrity, and availability. Potential consequences include the theft of sensitive corporate or customer data, deployment of ransomware, modification or deletion of critical information, and using the compromised server as a pivot point to attack other systems within the network. The business risks include severe reputational damage, financial loss from downtime and recovery efforts, and potential regulatory fines.

Immediate Action: Immediately upgrade all instances of TalentSys Inka.Net to version 6.7.1 or later to patch the vulnerability. After applying the update, it is crucial to monitor systems for any signs of prior exploitation. Review web server access logs for suspicious file upload events or requests to unusual file paths that may indicate a previously uploaded web shell.

Proactive Monitoring: Implement enhanced monitoring of the affected application servers. Security teams should look for unusual file uploads, particularly those with executable extensions (.php, .jsp, .sh, .exe, etc.), in web-accessible directories. Monitor for unexpected outbound network connections from the web server and scrutinize running processes for suspicious commands executed by the web application's service account.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Use a Web Application Firewall (WAF) with rules configured to block the upload of files with dangerous or executable extensions.
• If possible, temporarily disable file upload functionality until patching can be completed.
• Ensure the web server process runs with the lowest possible user privileges to limit the impact of a potential command injection.
• Perform regular file integrity monitoring on web directories to detect the presence of unauthorized files.

Public Exploit Available: false

Given the critical severity (CVSS 10) of this vulnerability, we strongly recommend that organizations treat this as an emergency. All internet-facing instances of TalentSys Inka.Net running versions prior to 6.7.1 should be patched immediately. Due to the high likelihood of future exploitation, the risk of not patching is exceptionally high. After patching, organizations should assume a breach may have already occurred and hunt for any indicators of compromise.