CVE-2026-7490
Awaiting Analysis Awaiting Analysis - Queue
Arbitrary File Upload in Sunnet CTMS and CPAS

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: TWCERT/CC

Description
CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7490
EUVD
EUVD-2026-26770
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ζ—­θ―η§‘ζŠ€ ctms *
ζ—­θ―η§‘ζŠ€ cpas *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7490 is an arbitrary file upload vulnerability found in CTMS and CPAS software developed by Sunnet (ζ—­θ―η§‘ζŠ€).

This flaw allows a remote attacker who already has administrative (privileged) access to upload malicious web shell scripts to the server.

Once uploaded, these web shells can be executed, enabling the attacker to run arbitrary code on the affected server.

Impact Analysis

If exploited, this vulnerability allows an attacker with high privileges to execute arbitrary code on your server.

This can lead to unauthorized control over the system, potential data breaches, service disruption, or further compromise of the network.

Because the attacker can upload and run web shells, they may maintain persistent access and perform malicious activities undetected.

Mitigation Strategies

Users are advised to apply patches provided by the vendor or contact the vendor for updates to mitigate the risk.

Since the vendor has not yet released a patch, contacting the vendor directly for a solution is recommended.

Compliance Impact

The vulnerability allows privileged remote attackers to upload and execute web shell backdoors, leading to arbitrary code execution on the server. This could potentially result in unauthorized access to sensitive data or disruption of system integrity.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls against unauthorized system access.

However, the provided information does not explicitly mention the impact on compliance with these standards or any regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart