CVE-2025-67260
Received Received - Intake
File Upload Vulnerability in Terrapack Enables Remote Code Execution

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: MITRE

Description
The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67260
EUVD
EUVD-2025-208903
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
aster-te terrapack_tkservercgi 2.5.4.150
aster-te terrapack_tkwebcoreng 1.0.20200914
aster-te terrapack_tpkwebgis 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'The CVE-2025-67260 vulnerability affects the Terrapack software suite developed by ASTER TEC / ASTER S.p.A., specifically the components Terrapack TkWebCoreNG version 1.0.20200914, TKServerCGI version 2.5.4.150, and TpkWebGIS - Client version 1.0.0.'}, {'type': 'paragraph', 'content': 'This vulnerability is an arbitrary file upload flaw located in the web application’s file upload and import functionality, particularly in the "TkWebCoreNG/InputOutputFile.php" script. The script lacks adequate server-side validation to restrict the types of files users can upload.'}, {'type': 'paragraph', 'content': 'Uploaded files are stored in the "TkRepository" directory without proper sanitization or access controls, allowing an attacker with access to the platform to upload malicious files. This can potentially lead to Remote Code Execution (RCE) if the attacker gains access to the directory where files are stored.'}, {'type': 'paragraph', 'content': 'The vulnerability has a high severity rating with a CVSSv3 score of 8.8, indicating it can be exploited remotely over the network with low attack complexity and limited privileges, resulting in full confidentiality, integrity, and availability impact.'}] [4]

Impact Analysis

This vulnerability can allow attackers to upload arbitrary malicious files to the Terrapack system, which may lead to Remote Code Execution (RCE).

Exploitation of this flaw can result in an attacker gaining control over the affected system, compromising confidentiality, integrity, and availability of data and services.

Because the vulnerability can be exploited remotely with low complexity and limited privileges, it poses a significant risk to systems running vulnerable Terrapack components, especially if exposed externally without adequate security measures.

Compliance Impact

I don't know

Detection Guidance

The vulnerability exists in the Terrapack software suite, specifically in the file upload functionality of the TkWebCoreNG/InputOutputFile.php script, which lacks proper validation and allows arbitrary file uploads.

To detect this vulnerability on your system, you should first identify if any of the vulnerable Terrapack components are installed, such as Terrapack TkWebCoreNG version 1.0.20200914, TKServerCGI version 2.5.4.150, or TpkWebGIS Client version 1.0.0.

You can check for the presence of these components by searching for their installation directories or files related to TkWebCoreNG/InputOutputFile.php and the TkRepository directory where uploaded files are stored.

Commands to help detect the vulnerability might include:

  • On Linux systems, use: `find / -name InputOutputFile.php` to locate the vulnerable script.
  • Check for suspicious or unexpected files in the TkRepository directory: `ls -l /path/to/TkRepository`.
  • Monitor web server logs for unusual file upload activity targeting the InputOutputFile.php endpoint.
  • Use network monitoring tools to detect attempts to upload files via HTTP POST requests to the vulnerable components.

Note that the vulnerability requires at least limited privileges (PR:L) and is exploitable remotely, so monitoring access logs and file system changes is critical.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable Terrapack components, especially the file upload functionality.

Since the vendor recommends operating Terrapack in secure, preferably air-gapped environments, ensure that the affected systems are not exposed to untrusted networks.

  • Limit network access to the Terrapack services by using firewalls or network segmentation.
  • Implement strict access controls and authentication to prevent unauthorized users from uploading files.
  • Monitor and audit file uploads to detect and block malicious files.
  • If possible, disable or restrict the vulnerable file upload functionality until a patch or update is available.

Contact the vendor or check official channels for patches or updates addressing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart