修复版本
6.7.1
CVE-2025-9846 describes an Unrestricted File Upload vulnerability discovered in TalentSys Consulting's Inka.Net software. This flaw allows attackers to upload files of any type, including those containing malicious code, which can then be executed on the server, leading to Command Injection. Versions of Inka.Net prior to 6.7.1 are affected. A patch is available, resolving this critical security risk.
The Unrestricted File Upload vulnerability in Inka.Net presents a severe risk of remote code execution (RCE). An attacker could upload a malicious script (e.g., PHP, ASPX) and execute it on the server, gaining control over the system. This could lead to data breaches, modification of sensitive information, installation of malware, and complete compromise of the Inka.Net server. The ability to inject commands significantly expands the attack surface, allowing for lateral movement within the network if the server has access to other systems. The blast radius extends to any data stored or processed by the Inka.Net application and any systems accessible from the compromised server. This vulnerability shares similarities with other file upload vulnerabilities where improper file type validation allows for the execution of arbitrary code.
CVE-2025-9846 was published on 2025-09-23. The vulnerability has a CVSS score of 10 (CRITICAL), indicating a high probability of exploitation. As of the publication date, there are no publicly available Proof-of-Concept (POC) exploits. The EPSS score is expected to be high, reflecting the ease of exploitation and the potential impact. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Inka.Net.
漏洞利用状态
EPSS
0.23% (46% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9846 is to immediately upgrade Inka.Net to version 6.7.1 or later. Prior to upgrading, it is highly recommended to create a full backup of the Inka.Net installation and associated data. If upgrading is not immediately feasible, implement temporary workarounds such as strict file type validation on the upload endpoint, restricting allowed file extensions to only those absolutely necessary for the application's functionality. Implement a Web Application Firewall (WAF) with rules to block suspicious file uploads and command injection attempts. Regularly scan the Inka.Net installation directory for unauthorized files. After upgrading, confirm the vulnerability is resolved by attempting to upload a known malicious file type (e.g., a PHP script) and verifying that the upload is rejected and the script is not executed.
Actualice Inka.Net a la versión 6.7.1 o superior. Esta actualización corrige la vulnerabilidad de carga de archivos sin restricciones. Consulte el registro de cambios de la versión 6.7.1 para obtener más detalles sobre la corrección.
漏洞分析和关键警报直接发送到您的邮箱。
It's a CRITICAL Unrestricted File Upload vulnerability in TalentSys Consulting's Inka.Net, allowing attackers to upload malicious files and potentially execute commands.
If you are using Inka.Net versions 0.0 through 6.7.1, you are vulnerable to this attack. Check your version immediately.
Upgrade Inka.Net to version 6.7.1 or later. If upgrading is not possible, implement temporary workarounds like strict file type validation and a WAF.
As of the publication date, no public exploits are known, but the high CVSS score suggests a high likelihood of exploitation.
Refer to the official TalentSys Consulting security advisory and the NVD entry for CVE-2025-9846 for detailed information.
上传你的 packages.lock.json 文件,立即知道是否受影响。