CVE-2025-67260 identifies a critical file upload vulnerability in the Terrapack software suite developed by ASTER TEC / ASTER S.p.A. The affected components are Terrapack TkWebCoreNG version 1.0.20200914, TKServerCGI version 2.5.4.150, and TpkWebGIS Client version 1.0.0. This vulnerability falls under CWE-434, which involves the unrestricted upload of files with dangerous types, allowing attackers to bypass file type restrictions and upload malicious payloads. The flaw enables an attacker with low privileges (PR:L) and no need for user interaction (UI:N) to remotely upload files that can be executed on the server, leading to arbitrary code execution. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and severity suggest a high risk of exploitation once weaponized. The affected components are typically used in GIS and web-based industrial applications, which may be critical infrastructure in some environments. The lack of available patches necessitates immediate risk mitigation and monitoring. The vulnerability was reserved in December 2025 and published in March 2026, indicating recent discovery and disclosure.

The exploitation of CVE-2025-67260 could have severe consequences for organizations using the affected Terrapack components. Successful attacks may lead to full system compromise through arbitrary code execution, allowing attackers to steal sensitive data, disrupt operations, or establish persistent access. Given the components' use in GIS and industrial control systems, impacts could extend to critical infrastructure sectors such as utilities, transportation, and manufacturing. The high CVSS score reflects the potential for widespread damage, including data breaches, service outages, and operational sabotage. Organizations may face regulatory penalties and reputational damage if exploited. The vulnerability's ease of exploitation (low complexity, no user interaction) increases the likelihood of attacks, especially in environments with exposed Terrapack services. The absence of known exploits currently provides a window for proactive defense, but this may close rapidly as threat actors develop weaponized payloads.

1. Immediately conduct an inventory to identify all instances of Terrapack TkWebCoreNG, TKServerCGI, and TpkWebGIS Client in your environment. 2. Restrict network access to these components using firewalls and segmentation to limit exposure to untrusted networks. 3. Implement strict file upload controls and validation at the application and network layers, including whitelisting allowed file types and scanning uploads for malware. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious upload attempts targeting these components. 5. Monitor logs and network traffic for anomalous file upload activities and signs of exploitation attempts. 6. Engage with ASTER TEC / ASTER S.p.A. for official patches or security advisories and apply updates promptly once available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned for this vulnerability's indicators. 8. Educate system administrators and security teams about this vulnerability to ensure rapid response capability. 9. If possible, isolate or temporarily disable vulnerable components until patches are released. 10. Review and enhance overall application security posture, including least privilege principles and secure coding practices to reduce attack surface.