Compliance Impact

The vulnerability allows unauthenticated remote code execution on the O2OA server, potentially leading to full compromise of the application server, including theft of secrets, tampering with binaries, data destruction, and lateral movement.

Such a compromise could result in unauthorized access to sensitive personal data or protected health information, which would negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the potential for data breaches and unauthorized data manipulation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the NodeAgent service by limiting exposure of TCP port 20010 to trusted networks only, ideally binding the service to localhost or a secure management network.

Additionally, remove or heavily restrict the use of remote execution commands such as 'restart' that execute files written via the same remote channel.

Implement strict allowlists for file paths accepted by the syncFile command to prevent overwriting critical startup scripts or configuration files.

Longer term, replace the weak authentication mechanism with a robust system that uses server-side secrets or cryptographic signatures over nonces and timestamps.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-7292 is a critical security vulnerability in the NodeAgent component of O2OA (versions up to 10.0) that allows unauthenticated remote code execution.

The vulnerability arises from a weak authentication mechanism where the NodeAgent exposes a public RSA key and accepts any credential that decrypts to a fixed prefix "o2@" without validating signatures, nonces, or timestamps.

An attacker can retrieve the public key, forge valid credentials by encrypting the fixed prefix, and then use the syncFile command to overwrite critical startup scripts on the server.

After overwriting these scripts, the attacker can trigger a restart command that executes the malicious scripts, resulting in arbitrary command execution on the server with the privileges of the O2OA service account.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected server.

• Full compromise of the application server, including persistent backdoors.
• Theft of sensitive secrets and data.
• Tampering with binaries and startup files.
• Destruction of data.
• Lateral movement within the network.

The exploit requires no authentication and targets a default exposed TCP port, making it easier for attackers to exploit remotely.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the NodeAgent component of O2OA (up to version 10.0) is exposed on the default TCP port 20010 and if the unauthenticated HTTP endpoint for retrieving the RSA public key is accessible.

A detection approach involves attempting to access the public key endpoint and verifying if the NodeAgent service responds on port 20010. Additionally, checking for the presence of suspicious files such as overwritten startup scripts (e.g., start_windows.bat or start_linux.sh) or marker files like 'nodeagent_rce.txt' in typical locations (e.g., C:\Windows\Temp\) can indicate exploitation.

• Use curl or wget to fetch the RSA public key from the HTTP endpoint: curl http://<target-ip>/x_organization_assemble_authentication/jaxrs/authentication/captchaRSAPublicKey
• Use netcat or similar tools to check if TCP port 20010 is open: nc -vz <target-ip> 20010
• Search for suspicious marker files indicating exploitation, e.g., on Windows: dir C:\Windows\Temp\nodeagent_rce.txt

Useful 0 Not Useful 0