{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67260", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T13:57:45.455Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T15:38:37.869Z"}, "descriptions": [{"lang": "en", "value": "The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://aster.com"}, {"url": "http://terrapack.com"}, {"url": "https://www.acn.gov.it/portale/en/csirt-italia"}, {"url": "https://github.com/edi-marc/Vulnerability_List/tree/main/CVE_Terrapack"}, {"url": "https://packetstorm.news/files/id/217271"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T13:57:42.495410Z", "id": "CVE-2025-67260", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:57:45.455Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T13:57:42.495410Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:56:59.084Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://aster.com"}, {"url": "http://terrapack.com"}, {"url": "https://www.acn.gov.it/portale/en/csirt-italia"}, {"url": "https://github.com/edi-marc/Vulnerability_List/tree/main/CVE_Terrapack"}, {"url": "https://packetstorm.news/files/id/217271"}], "descriptions": [{"lang": "en", "value": "The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T15:38:37.869Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67260", "state": "PUBLISHED", "dateUpdated": "2026-03-23T13:57:45.455Z", "dateReserved": "2025-12-08T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aster-te:terrapack_tkservercgi:2.5.4.150:*:*:*:*:*:*:*", "matchCriteriaId": "1FA18769-1063-4C18-8E1E-0D699E9B3107", "vulnerable": true}, {"criteria": "cpe:2.3:a:aster-te:terrapack_tkwebcoreng:1.0.20200914:*:*:*:*:*:*:*", "matchCriteriaId": "531E6FC2-4DCF-4FBC-8552-C68D5563642F", "vulnerable": true}, {"criteria": "cpe:2.3:a:aster-te:terrapack_tpkwebgis:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "9006E1BD-8656-4E50-A073-60C6ABBABFB4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0."}, {"lang": "es", "value": "El software Terrapack, de ASTER TEC / ASTER S.p.A., con los componentes y versiones indicados tiene una vulnerabilidad de carga de archivos que puede permitir a los atacantes ejecutar c\u00f3digo arbitrario. Los componentes vulnerables incluyen Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150 y Terrapack TpkWebGIS Cliente 1.0.0."}], "id": "CVE-2025-67260", "lastModified": "2026-04-14T20:54:09.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T16:16:16.490", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://aster.com"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://terrapack.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/edi-marc/Vulnerability_List/tree/main/CVE_Terrapack"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://packetstorm.news/files/id/217271"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://www.acn.gov.it/portale/en/csirt-italia"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.5.4.150,2.5.4.150]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tkservercgi", "vendor": "aster"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.20200914,1.0.20200914]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tkwebcoreng", "vendor": "aster"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tpkwebgis_client", "vendor": "aster"}], "analysis": {"en": {"generated_at": "2026-03-23T15:36:59.965354+00:00", "value": {"mitigation_remediation": ["Contact ASTER S.p.A. for an updated version of the affected Terrapack components that removes the upload flaw.", "If an update is not immediately available, restrict the upload functionality by disabling or removing the upload endpoint, or confining uploads to a directory with no execution permissions.", "Apply network segmentation or firewall rules to block external access to the upload service until a patch is deployed.", "Monitor the web server and file upload logs for signs of unauthorized upload activity, and review system integrity and security controls regularly."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via File Upload"}, "threat_synthesis": {"affected_systems": "The flaw exists in ASTER TEC\u2019s Terrapack package. Affected components and versions are: Terrapack TkWebCoreNG 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0. These are delivered by ASTER S.p.A.", "description_and_impact": "A file upload flaw in the Terrapack software suite allows an attacker to upload code that the system will execute with the privileges of the web server. The vulnerability is categorized as an untrusted file upload (CWE-434). An attacker who can send a malicious file to the affected components can run arbitrary commands, potentially compromising confidentiality, integrity, and availability of the host.", "risk_and_exploitability": "The issue receives a CVSS score of 8.8, indicating high severity, but an EPSS of less than 1% suggests it is currently rarely exploited. It is not listed in the CISA KEV catalog. The most likely attack vector is a remote exploit, where an attacker submits a malicious file through a publicly exposed upload endpoint. Successful exploitation would grant remote code execution privileges."}}}}, "created": "2026-03-23T09:54:20.267366+00:00", "updated": "2026-03-25T14:10:19.414251+00:00", "vendors": ["aster", "aster$PRODUCT$tkservercgi", "aster$PRODUCT$tkwebcoreng", "aster$PRODUCT$tpkwebgis_client"]}