CVE-2026-22234

OPEXUS · eCasePortal

OPEXUS eCasePortal versions prior to 9.0.45.0 contain an insecure direct object reference vulnerability in the 'Attachments.aspx' endpoint, allowing unauthorized file access and manipulation.

Executive summary

An unauthenticated file access vulnerability in OPEXUS eCasePortal allows attackers to download, delete, or upload files, posing a severe risk to data integrity.

Vulnerability

The 'Attachments.aspx' endpoint lacks proper authorization controls, allowing an unauthenticated attacker to iterate through 'formid' values. This permits unauthorized access to sensitive user-uploaded files and modification of the file repository.

Business impact

This vulnerability allows for the unauthorized disclosure of sensitive documents and potential data destruction, which could lead to severe reputational damage and regulatory non-compliance. With a CVSS score of 9.8, the risk of total data breach is significant.

Remediation

Immediate Action: Upgrade OPEXUS eCasePortal to version 9.0.45.0 or later to patch the authorization flaw.

Proactive Monitoring: Audit access logs for the 'Attachments.aspx' endpoint to identify patterns of sequential 'formid' requests indicative of enumeration attacks.

Compensating Controls: Restrict access to the eCasePortal application via network-level controls or a VPN to limit exposure to untrusted entities.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate patching is required to prevent unauthorized access to sensitive attachments. Administrators should verify the integrity of the file system following any potential unauthorized access attempts.