CVE-2026-0522 is a local file inclusion (LFI) vulnerability classified under CWE-610, affecting VertiGIS FM version 10.5.00119. The vulnerability arises from insecure handling of file paths during the upload and download processes. Authenticated attackers can manipulate the file path parameter during upload to reference arbitrary files on the server. When these files are subsequently downloaded, the server returns the contents of the attacker-controlled path, enabling unauthorized file disclosure. Given VertiGIS FM’s ASP.NET architecture, obtaining sensitive files such as the web.config could allow attackers to execute remote code on the server, escalating the impact from information disclosure to full system compromise. Additionally, the application resolves UNC (Universal Naming Convention) paths, which can be abused to perform NTLM relay attacks, potentially allowing attackers to impersonate users or escalate privileges within the network. The vulnerability requires only low complexity to exploit, no user interaction, and only authenticated access, making it a significant risk for organizations relying on this software. Although no public exploits have been reported yet, the potential impact and ease of exploitation warrant immediate attention.

The vulnerability can lead to severe consequences including unauthorized disclosure of sensitive files, such as configuration files containing credentials or secrets, and potentially remote code execution on affected servers. This compromises confidentiality, integrity, and availability of the affected systems. Attackers could leverage this to gain persistent access, move laterally within networks, or disrupt services. The NTLM relay attack vector further increases risk by enabling credential theft and privilege escalation within Windows environments. Organizations using VertiGIS FM in critical infrastructure, utilities, or government sectors could face operational disruptions, data breaches, and reputational damage. The requirement for only authenticated access lowers the barrier for exploitation, especially if credentials are weak or compromised.

Organizations should immediately verify if they are running VertiGIS FM version 10.5.00119 and prioritize applying any available patches or updates from VertiGIS addressing CVE-2026-0522. In the absence of patches, restrict access to the upload and download functionalities to trusted users only and implement strict input validation and sanitization on file path parameters to prevent path traversal and LFI attacks. Disable or restrict UNC path resolution in the application configuration to mitigate NTLM relay risks. Employ network segmentation and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Monitor logs for unusual file access patterns or attempts to access sensitive files like web.config. Conduct regular security assessments and penetration testing focused on file upload/download features. Finally, educate users about the risks of credential sharing and phishing to reduce the likelihood of attacker authentication.