Primary

Context

Selea CarPlateServer Remote Program Execution Vulnerability

Vulnerability

A remote program execution vulnerability has been identified in Selea CarPlateServer version 4.0.1.6. This vulnerability allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Exploitation can be achieved by bypassing authentication through the /cps/ endpoint, enabling attackers to modify server configurations, including admin passwords and the execution of system commands.

Impact

Exploitation of this vulnerability allows for arbitrary execution of Windows binaries, potentially leading to unauthorized access or actions on the server.

Reproduction

To reproduce this vulnerability, authenticate to the Selea CarPlateServer application and navigate to the /cps/ endpoint. Once authenticated, the NO_LIST_EXE_PATH variable can be set to a desired executable. If the configuration is accepted, the specified program will be executed on the server.

Added: Dec 31, 2025, 7:33 PM

Updated: Dec 31, 2025, 9:06 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Selea CarPlateServer Remote Program Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating