📄 Description (English)
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.
This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
🤖 AI Executive Summary
CVE-2026-0522 is a critical local file inclusion vulnerability in VertiGIS FM 10.5.00119 that allows authenticated attackers to read arbitrary files from servers and potentially achieve remote code execution by obtaining web.config files. The vulnerability exploits the upload/download flow through path manipulation and supports UNC path resolution, enabling NTLM-relaying attacks. With an active exploit available and no patch currently released, this poses an immediate threat to organizations using affected versions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 08:17
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies and municipalities using VertiGIS FM for geographic information systems and facility management. Critical impact expected for: (1) Government/NCA — facility management and infrastructure mapping systems; (2) Energy Sector/ARAMCO — pipeline and facility management systems; (3) Telecom/STC — network infrastructure management; (4) Healthcare — hospital facility management systems; (5) Water/Electricity Utilities — critical infrastructure management. The ability to achieve RCE through web.config extraction could lead to complete system compromise and lateral movement within critical infrastructure networks.
🏢 Affected Saudi Sectors
Government/NCA
Energy/ARAMCO
Telecom/STC
Healthcare
Water and Electricity Utilities
Transportation and Logistics
Real Estate and Urban Planning
Municipal Services
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1083 - File and Directory Discovery
T1005 - Data from Local System
T1040 - Network Sniffing
T1557 - Man-in-the-Middle
T1021 - Remote Service Session Initiation
T1059 - Command and Scripting Interpreter
T1505 - Server Software Component
T1547 - Boot or Logon Autostart Execution
T1133 - External Remote Service
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of VertiGIS FM 10.5.00119 and 10.11.363 in your environment
2. Restrict network access to VertiGIS FM applications to authorized users only
3. Implement strict authentication controls and disable unnecessary service accounts
4. Monitor for suspicious file upload/download activities
COMPENSATING CONTROLS (until patch available):
1. Implement Web Application Firewall (WAF) rules to detect path traversal patterns (../, ..\ sequences) in upload requests
2. Apply input validation to reject file paths containing UNC paths (\\server\share patterns)
3. Restrict file upload destinations to a dedicated, isolated directory with no access to system files
4. Disable UNC path resolution in VertiGIS FM configuration if possible
5. Implement strict file access controls on web.config and other sensitive configuration files
6. Run VertiGIS FM application pool with minimal required privileges
DETECTION RULES:
1. Monitor IIS logs for POST requests to upload endpoints with path traversal sequences
2. Alert on any attempts to access or download web.config files
3. Monitor for NTLM authentication anomalies and relay attack indicators
4. Track file access patterns to system directories from VertiGIS FM process
5. Implement SIEM rules for suspicious UNC path references in application logs
PATCHING GUIDANCE:
1. Subscribe to VertiGIS security advisories for patch availability
2. Prepare isolated test environment for patch validation
3. Plan maintenance window for immediate deployment upon patch release
4. Consider application replacement or upgrade if patch timeline is unacceptable
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات VertiGIS FM 10.5.00119 و 10.11.363 في بيئتك
2. تقييد الوصول إلى شبكة تطبيقات VertiGIS FM للمستخدمين المصرح لهم فقط
3. تطبيق عناصر تحكم مصادقة صارمة وتعطيل حسابات الخدمة غير الضرورية
4. مراقبة الأنشطة المريبة في التحميل والتنزيل
عناصر التحكم التعويضية (حتى توفر التصحيح):
1. تطبيق قواعد جدار حماية تطبيقات الويب لكشف أنماط اجتياز المسارات في طلبات التحميل
2. تطبيق التحقق من صحة الإدخال لرفض مسارات الملفات التي تحتوي على مسارات UNC
3. تقييد وجهات تحميل الملفات إلى دليل مخصص معزول بدون وصول إلى ملفات النظام
4. تعطيل دقة مسار UNC في إعدادات VertiGIS FM إن أمكن
5. تطبيق عناصر تحكم وصول صارمة على ملفات web.config والملفات الحساسة الأخرى
6. تشغيل مجموعة تطبيقات VertiGIS FM بأقل صلاحيات مطلوبة
قواعد الكشف:
1. مراقبة سجلات IIS لطلبات POST إلى نقاط نهاية التحميل بأنماط اجتياز المسارات
2. التنبيه على أي محاولات للوصول أو تنزيل ملفات web.config
3. مراقبة حالات شذوذ مصادقة NTLM ومؤشرات هجمات الترحيل
4. تتبع أنماط الوصول إلى الملفات في الدلائل النظامية من عملية VertiGIS FM
5. تطبيق قواعد SIEM للمراجع المريبة لمسارات UNC في سجلات التطبيق
إرشادات التصحيح:
1. الاشتراك في تنبيهات أمان VertiGIS لتوفر التصحيحات
2. تحضير بيئة اختبار معزولة للتحقق من صحة التصحيح
3. تخطيط نافذة صيانة للنشر الفوري عند توفر التصحيح
4. النظر في استبدال التطبيق أو الترقية إذا كان الجدول الزمني للتصحيح غير مقبول
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Rights Review
A.7.1.1 - Cryptography Policy
A.8.1.1 - Objective of Information Security Operations
A.8.2.1 - Information Security Event Logging
A.8.2.2 - Protection of Log Information
A.8.3.1 - Malware Protection
A.12.2.1 - Restrictions on Software Installation
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
A.14.1.1 - Information Security Requirements Analysis and Specification
🔵 SAMA CSF
Governance - Policy and Risk Management
Governance - Compliance and Audit
Protect - Access Control and Authentication
Protect - Data Protection and Privacy
Protect - System and Communications Protection
Detect - Security Monitoring and Alerting
Detect - Vulnerability and Patch Management
Respond - Incident Response and Management
🟡 ISO 27001:2022
5.1 - Policies for information security
5.3 - Segregation of duties
6.1 - Screening
6.2 - Terms and conditions of employment
6.5 - Access rights review
7.1 - Cryptography
8.1 - Objective of information security operations
8.2 - Information security event logging
8.3 - Protection of log information
8.4 - Administrator and operator logs
8.5 - Restriction of access to information
8.6 - Access control to program source code
8.7 - Cryptographic controls
8.32 - Change of ownership or control
8.33 - Information security continuity
8.34 - ICT readiness for business continuity
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 7 - Restrict access to data by business need to know
Requirement 8 - Identify and authenticate access to system components
Requirement 10 - Track and monitor all access to network resources
📦 Affected Products / CPE 1 entries
vertigis:fm:10.11.363