CVE-2026-29522 is a critical local file inclusion vulnerability affecting ZwickRoell GmbH & Co. KG's Test Data Management software versions prior to 3.0.8. The vulnerability arises from improper limitation of a pathname to a restricted directory (CWE-22) in the /server/node_upgrade_srv.js endpoint. Specifically, the firmware parameter does not properly sanitize input, allowing an attacker to inject directory traversal sequences (e.g., ../) to access arbitrary files on the server's filesystem. This flaw is exploitable remotely without authentication or user interaction, making it highly accessible to attackers. Successful exploitation leads to information disclosure of sensitive system files, which could include configuration files, credentials, or other critical data. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high impact on confidentiality and ease of exploitation. No patches are currently linked, so mitigation relies on upgrading to version 3.0.8 or later once available, or implementing network-level protections. The vulnerability does not affect integrity or availability directly but poses a significant risk due to potential leakage of sensitive information that could facilitate further attacks.

The primary impact of CVE-2026-29522 is unauthorized disclosure of sensitive information stored on servers running vulnerable versions of ZwickRoell Test Data Management software. This can lead to exposure of system configuration files, credentials, or proprietary test data, which may be leveraged by attackers for further compromise, lateral movement, or intellectual property theft. Since the vulnerability requires no authentication and can be exploited remotely, it significantly increases the attack surface. Organizations relying on this software in industrial testing or manufacturing environments could face operational risks if sensitive data is leaked. Additionally, disclosure of system files may reveal other vulnerabilities or system details, escalating the threat. While no direct integrity or availability impact is reported, the confidentiality breach alone can have severe consequences, including regulatory compliance violations, reputational damage, and financial losses.

To mitigate CVE-2026-29522, organizations should immediately verify if they are running affected versions of ZwickRoell Test Data Management software prior to 3.0.8. Since no official patch links are currently available, organizations should: 1) Restrict network access to the /server/node_upgrade_srv.js endpoint by implementing firewall rules or network segmentation to limit exposure to trusted hosts only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in the firmware parameter. 3) Monitor server logs for suspicious requests containing traversal sequences and respond promptly to potential exploitation attempts. 4) Coordinate with ZwickRoell for timely updates or patches and plan for an upgrade to version 3.0.8 or later once released. 5) Conduct internal audits to identify and secure sensitive files that could be exposed. 6) Implement least privilege principles on the server filesystem to minimize accessible sensitive files by the application process. These targeted actions go beyond generic advice by focusing on immediate access controls and monitoring until a patch is applied.