The vulnerability identified as CVE-2026-28674 affects xiaoheiFS, a self-hosted financial and operational system designed for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint allows administrators to upload files to the plugins/payment/ directory. Authentication relies solely on a hardcoded password ('qweasd123456'), which is a weak security practice (CWE-798). More critically, the system does not validate the type or content of uploaded files (CWE-434), permitting any file type, including malicious executables. A background watcher process named StartWatcher scans the plugins/payment/ directory every 5 seconds; if it detects a new executable file, it immediately executes it. This behavior results in remote code execution (RCE) with the privileges of the service, allowing attackers to run arbitrary code on the server. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting high severity due to network attack vector, low attack complexity, required privileges (admin), no user interaction, and high impact on confidentiality, integrity, and availability. The issue is resolved in xiaoheiFS version 4.0.0, which presumably removes the hardcoded password and implements proper file validation and execution controls. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk given the ease of exploitation by authenticated admins and the potential for complete system takeover.

This vulnerability can have severe consequences for organizations using affected versions of xiaoheiFS. Successful exploitation allows an attacker with administrative credentials to execute arbitrary code on the server hosting the system, potentially leading to full system compromise. This can result in unauthorized access to sensitive financial and operational data, disruption of cloud service business operations, and the deployment of persistent malware or ransomware. The compromise of confidentiality, integrity, and availability can damage organizational reputation, cause financial losses, and lead to regulatory penalties, especially in industries with strict compliance requirements. Since xiaoheiFS is used in cloud service environments, exploitation could also impact multi-tenant infrastructures, increasing the scope of damage. The hardcoded password increases the risk of credential leakage or brute force discovery, further elevating the threat. Organizations that do not promptly patch or mitigate this vulnerability remain exposed to potentially devastating attacks.

1. Immediate upgrade to xiaoheiFS version 4.0.0 or later, which addresses this vulnerability by removing the hardcoded password and implementing proper file validation and execution controls. 2. Until upgrade is possible, restrict administrative access to the AdminPaymentPluginUpload endpoint by network segmentation, IP whitelisting, or VPN access to minimize exposure. 3. Replace the hardcoded password with a strong, unique credential managed securely, and enforce multi-factor authentication for admin accounts. 4. Implement strict file type validation and sanitization on all upload endpoints to prevent dangerous file types from being accepted. 5. Disable or modify the StartWatcher background process to prevent automatic execution of uploaded files, or configure it to only execute signed or verified plugins. 6. Monitor logs and file system changes in the plugins/payment/ directory for suspicious activity. 7. Conduct regular security audits and penetration testing focused on upload functionalities and privilege management. 8. Educate administrators on secure password practices and the risks of using default or hardcoded credentials.