Sunnet CTMS and CPAS Arbitrary File Upload Vulnerability Allowing Web Shell Execution

Vulnerability

An arbitrary file upload vulnerability has been identified in CTMS and CPAS applications developed by Sunnet. This vulnerability allows privileged remote attackers to upload and execute web shell backdoors, enabling arbitrary code execution on the server. The issue affects all versions of both CTMS and CPAS.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the web server.

Added: May 2, 2026, 10:24 AM

Updated: May 2, 2026, 10:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.4

remediation

6.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.4

remediation

6.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sunnet CTMS and CPAS Arbitrary File Upload Vulnerability Allowing Web Shell Execution

Vulnerability

Impact

Affected Products

Sunnet CTMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating