Vulnerabilities in Government-Linked Partner Software Allow Remote Code Attacks

Vulnerabilities in Government-Linked Partner Software Allow Remote Code Attacks

Multiple serious security vulnerabilities have been discovered in Partner Software and Partner Web applications widely used by government agencies and contractors, potentially exposing sensitive systems to remote code execution attacks and data breaches.

The vulnerabilities, tracked as CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078, were disclosed in a CERT vulnerability note on August 2, 2025, highlighting significant security gaps that could allow attackers to compromise entire systems.

Critical Security Flaws Expose Government Systems

Partner Software, a subsidiary of N. Harris Computer Corporation, develops field application software extensively used by municipalities, state governments, and private contractors for GIS-related work, map viewing, and field operations support.

CVE ID Vulnerability Type CVSS Score Impact Level
CVE-2025-6076 File Upload/RCE Not specified Critical
CVE-2025-6077 Authentication Bypass Not specified High
CVE-2025-6078 Stored XSS Not specified Medium

The discovered vulnerabilities stem from inadequate input sanitization in the applications’ file upload and note-taking features, creating multiple attack vectors for malicious actors.

The most severe vulnerability, CVE-2025-6076, allows authenticated attackers to upload malicious files through the Reports tab without proper file type restrictions or content validation.

This flaw enables attackers to store executable code directly on victim servers, potentially leading to complete system compromise.

The vulnerability affects the core file handling mechanism, making it particularly dangerous for organizations processing sensitive government data.

CVE-2025-6077 reveals another critical security oversight: Partner Web applications ship with identical default administrator credentials across all installations.

This configuration weakness provides attackers with a straightforward path to gaining administrative access, especially when combined with the file upload vulnerability.

The third vulnerability, CVE-2025-6078, affects the Notes feature within job views, where insufficient input sanitization allows authenticated users to inject HTML and JavaScript code.

This stored cross-site scripting (XSS) vulnerability can be exploited to steal user credentials, manipulate displayed data, or execute malicious scripts in other users’ browsers.

Given Partner Software’s extensive use across government agencies and contractors, these vulnerabilities pose significant risks to public sector cybersecurity.

Successful exploitation could lead to unauthorized access to sensitive government data, manipulation of field reports, and potential disruption of critical municipal services.

The combination of remote code execution capabilities and default credential vulnerabilities creates particularly severe risk scenarios.

Partner Software has released version 4.32.2 to address these security issues.

The patch removes default Admin and Edit user accounts, implements proper input sanitization for the Notes section, and restricts file uploads to safe formats including CSV, JPG, PNG, TXT, DOC, and PDF files.

The updated version also prevents file execution, limiting uploads to display-only functionality.

Organizations running Partner Web version 4.32 and earlier versions should immediately apply the available patch.

The vulnerabilities were responsibly disclosed by Ryan Pohlner from the Cybersecurity and Infrastructure Security Agency (CISA), emphasizing the federal government’s commitment to securing critical infrastructure software.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!


Source link