CVE-2026-29522 is a local file inclusion vulnerability categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) found in ZwickRoell GmbH & Co. KG's Test Data Management software prior to version 3.0.8. The flaw resides in the /server/node_upgrade_srv.js endpoint, which processes a firmware parameter without proper sanitization or validation of directory traversal sequences (e.g., '../'). An unauthenticated attacker can craft requests that manipulate this parameter to traverse directories and access arbitrary files on the server's filesystem. This can lead to unauthorized disclosure of sensitive system files, configuration data, or credentials stored on the server. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. No patches or exploits are currently publicly available, but the vulnerability's presence in a critical endpoint used for firmware upgrades makes it a significant threat to the confidentiality of affected systems. The vulnerability affects all versions prior to 3.0.8, and organizations using these versions should urgently apply updates or implement mitigations to prevent exploitation.

The primary impact of CVE-2026-29522 is unauthorized disclosure of sensitive information due to local file inclusion via directory traversal. Attackers can access configuration files, credentials, logs, or other sensitive data stored on the server, potentially enabling further attacks such as privilege escalation or lateral movement. This compromises the confidentiality of the affected systems and may lead to intellectual property theft, exposure of personally identifiable information (PII), or disruption of business operations if sensitive operational data is leaked. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations using the affected software globally. The lack of known exploits in the wild currently reduces immediate risk, but the high CVSS score and ease of exploitation make it a critical issue that could be targeted by threat actors once exploit code becomes available. Industries relying on ZwickRoell Test Data Management for quality assurance and testing, especially in manufacturing, automotive, and materials testing sectors, are particularly at risk.

1. Upgrade to ZwickRoell Test Data Management version 3.0.8 or later, where this vulnerability is fixed. 2. If immediate patching is not possible, implement network-level access controls to restrict access to the /server/node_upgrade_srv.js endpoint, limiting it to trusted internal IP addresses only. 3. Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in the firmware parameter. 4. Conduct regular audits of server file permissions to ensure sensitive files are not accessible by the application user beyond what is necessary. 5. Monitor logs for suspicious requests containing directory traversal sequences targeting the vulnerable endpoint. 6. Implement strict input validation and sanitization on all parameters, especially those related to file paths, to prevent traversal attacks. 7. Isolate the Test Data Management server in a segmented network zone to reduce exposure. 8. Educate security teams about this vulnerability to enable rapid detection and response to potential exploitation attempts.