CVE-2026-4170
Awaiting Analysis Awaiting Analysis - Queue
OS Command Injection in Topsec TopACM HTTP Request Handler

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: VulDB

Description
A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4170
EUVD
EUVD-2026-12214
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
topsec_technologies_inc. topacm 3.0
topsec topacm 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4170 is a critical OS command injection vulnerability found in Topsec TopACM version 3.0, specifically in the HTTP Request Handler component within the file /view/systemConfig/management/nmc_sync.php.

The vulnerability arises because the argument template_path is improperly handled, allowing an attacker to inject and execute arbitrary operating system commands remotely without any authentication.

This means an attacker can send specially crafted HTTP requests to this endpoint and execute shell commands on the affected server.

The vulnerability corresponds to CWE-78, where external input is used to construct OS commands without proper neutralization, leading to command injection.

Impact Analysis

Exploitation of this vulnerability can lead to severe impacts including full system compromise.

  • Attackers can execute arbitrary OS commands remotely without authentication.
  • It can result in sensitive data exfiltration.
  • Attackers may gain persistent control over the affected host server.
  • The vulnerability impacts confidentiality, integrity, and availability of the system.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by searching for the URL pattern in your network or system logs that matches the vulnerable endpoint: /view/systemConfig/management/nmc_sync.php.

One detection method is to look for HTTP requests that include the argument template_path being manipulated or suspiciously crafted, as this is the injection point.

Google hacking techniques can be used to locate vulnerable targets by searching for URLs containing inurl:view/systemConfig/management/nmc_sync.php.

While no specific detection commands are provided, monitoring HTTP request logs for unusual or unexpected commands injected via the template_path parameter is recommended.

Mitigation Strategies

No known mitigations or countermeasures have been published by the vendor for this vulnerability.

It is suggested to consider replacing the affected product, Topsec TopACM version 3.0, with an alternative solution to avoid exposure.

As an immediate step, restrict access to the vulnerable endpoint /view/systemConfig/management/nmc_sync.php if possible, such as by network segmentation or firewall rules, to reduce exposure.

Monitor your systems closely for any signs of exploitation, given that a public exploit is available and the vulnerability can be exploited remotely without authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart