Home

Description

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and scripts to be accepted and written directly to the server.

PUBLISHED Reserved 2026-03-30 | Published 2026-06-26 | Updated 2026-06-26 | Assigner icscert




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

HIGH: 8.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Problem types

CWE-434

Product status

Default status
unaffected

Any version before v8.117.x.x
affected

Any version before v9.43.x.x
affected

Any version before v10.34.x.x
affected

Default status
unaffected

Any version before v10.34.x.x
affected

Any version before v8.117.x.x
affected

Any version before v9.43.x.x
affected

Default status
unaffected

Any version before v10.34.x.x
affected

Any version before v8.117.x.x
affected

Any version before v9.43.x.x
affected

Credits

Thomas Jou of Princeton University reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-176-04

github.com/...p/csaf_files/OT/white/2026/icsa-26-176-04.json

cve.org (CVE-2026-33560)

nvd.nist.gov (CVE-2026-33560)

Download JSON