CVE-2026-6847

4real · ThemisNETPanel

ThemisNETPanel contains a critical remote code execution vulnerability due to the lack of authentication on its file upload functionality.

Executive summary

An unauthenticated remote code execution vulnerability in ThemisNETPanel allows attackers to upload and execute malicious PHP files on the server.

Vulnerability

The application fails to perform authentication checks on a critical file upload endpoint. This allows an unauthenticated attacker to upload arbitrary PHP files, which can then be executed by the server, granting the attacker full control over the application environment.

Business impact

The CVSS score of 9.3 (Critical) highlights the severity of this remote code execution flaw. Successful exploitation leads to complete compromise of the web server, allowing for data exfiltration, unauthorized administrative access, and potential pivot points into the internal network.

Remediation

Immediate Action: Update 4real ThemisNETPanel to the version released in April 2026 or later.

Proactive Monitoring: Audit the server's web root and upload directories for unauthorized files, particularly those with a .php extension that were not placed there by authorized administrators.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to restrict access to the file upload endpoint and block attempts to upload files with executable extensions.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents a total security failure of the application's access controls. Organizations using ThemisNETPanel must verify that they have applied the April 2026 patch immediately, as the lack of authentication makes this an extremely easy target for remote attackers.