An external control of file name or path vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary system commands via a malicious file by controlling the destination file path.
The vulnerability (CWE-73 — External Control of File Name or Path) is based on the application allowing an external attacker to control the target path of a saved file. By uploading a specially crafted file and specifying any target path, an attacker can place a malicious file anywhere in the server's file system. Subsequently, it is possible to execute this file as a system command, leading to full RCE — without the need for any privileges or user interaction.
An attacker gains the ability to execute arbitrary system commands on the server, which in practice means complete takeover of the system, possibility of data theft, installation of a backdoor, or lateral movement within the internal network.
SUNNET Corporate Training Management System should be immediately updated to version 10.11 or newer. Details are available in the vendor references and in advisory ZA-2025-13 published by ZUSO AI (https://zuso.ai/advisory/za-2025-13). Until the patch is applied, it is recommended to restrict network access to the system or isolate it behind a firewall.
SUNNET Corporate Training Management System (Sun.Net Ehrd Ctms) in versions before 10.11
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSun.net Ehrd Ctms
APPSun.Net< 10.11
Related vulnerabilities
Brak uwierzytelnienia w SUNNET CTMS — dostęp do funkcji wdrożeniowych
Brak autoryzacji w SUNNET CTMS umożliwia nieautoryzowane wdrożenie aplikacji
SQL Injection w SUNNET Corporate Training Management System
SQL Injection w eHDR CTMS (Sunnet) umożliwia nieautoryzowany dostęp do bazy
CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject ...