Platform
dotnet
Component
inka-net
Fixed in
6.7.1
CVE-2025-9846 describes an Unrestricted File Upload vulnerability discovered in TalentSys Consulting's Inka.Net software. This flaw allows attackers to upload files of any type, including those containing malicious code, which can then be executed on the server, leading to Command Injection. Versions of Inka.Net prior to 6.7.1 are affected. A patch is available, resolving this critical security risk.
The Unrestricted File Upload vulnerability in Inka.Net presents a severe risk of remote code execution (RCE). An attacker could upload a malicious script (e.g., PHP, ASPX) and execute it on the server, gaining control over the system. This could lead to data breaches, modification of sensitive information, installation of malware, and complete compromise of the Inka.Net server. The ability to inject commands significantly expands the attack surface, allowing for lateral movement within the network if the server has access to other systems. The blast radius extends to any data stored or processed by the Inka.Net application and any systems accessible from the compromised server. This vulnerability shares similarities with other file upload vulnerabilities where improper file type validation allows for the execution of arbitrary code.
CVE-2025-9846 was published on 2025-09-23. The vulnerability has a CVSS score of 10 (CRITICAL), indicating a high probability of exploitation. As of the publication date, there are no publicly available Proof-of-Concept (POC) exploits. The EPSS score is expected to be high, reflecting the ease of exploitation and the potential impact. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Inka.Net.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9846 is to immediately upgrade Inka.Net to version 6.7.1 or later. Prior to upgrading, it is highly recommended to create a full backup of the Inka.Net installation and associated data. If upgrading is not immediately feasible, implement temporary workarounds such as strict file type validation on the upload endpoint, restricting allowed file extensions to only those absolutely necessary for the application's functionality. Implement a Web Application Firewall (WAF) with rules to block suspicious file uploads and command injection attempts. Regularly scan the Inka.Net installation directory for unauthorized files. After upgrading, confirm the vulnerability is resolved by attempting to upload a known malicious file type (e.g., a PHP script) and verifying that the upload is rejected and the script is not executed.
Actualice Inka.Net a la versión 6.7.1 o superior. Esta actualización corrige la vulnerabilidad de carga de archivos sin restricciones. Consulte el registro de cambios de la versión 6.7.1 para obtener más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
It's a CRITICAL Unrestricted File Upload vulnerability in TalentSys Consulting's Inka.Net, allowing attackers to upload malicious files and potentially execute commands.
If you are using Inka.Net versions 0.0 through 6.7.1, you are vulnerable to this attack. Check your version immediately.
Upgrade Inka.Net to version 6.7.1 or later. If upgrading is not possible, implement temporary workarounds like strict file type validation and a WAF.
As of the publication date, no public exploits are known, but the high CVSS score suggests a high likelihood of exploitation.
Refer to the official TalentSys Consulting security advisory and the NVD entry for CVE-2025-9846 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.