Cyber Resilience

CVE-2025-9846

CriticalUpdated

Published: 23 September 2025

Published
23 September 2025
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0043 63.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9846 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gov (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9846 is an Unrestricted Upload of File with Dangerous Type vulnerability in Inka.Net, a product of TalentSys Consulting Information Technology Industry Inc. The flaw enables command injection and affects Inka.Net versions prior to 6.7.1. It is associated with CWE-434 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows command injection, resulting in high impacts to confidentiality, integrity, and availability, including potential full system compromise due to the changed scope.

The Turkish National Cyber Incident Response Center (USOM) advisory at https://www.usom.gov.tr/bildirim/tr-25-0288 provides further details on this issue. Upgrading to Inka.Net 6.7.1 or later resolves the vulnerability.

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection. This issue affects Inka.Net: before 6.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unrestricted file upload with dangerous type on public-facing Inka.Net web app directly enables remote unauthenticated exploitation (T1190) leading to command injection (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-37175Shared CWE-434
CVE-2025-54444Shared CWE-434
CVE-2025-13689Shared CWE-434
CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents unrestricted uploads of dangerous file types by enforcing validation of file content, type, and source at upload input points, blocking command injection exploits.

prevent

SI-2 requires identification, reporting, and correction of the specific software flaw in Inka.Net versions before 6.7.1, with timely patching to eliminate the vulnerability.

preventdetect

SI-3 mitigates exploitation by scanning for and eradicating malicious code in uploaded dangerous files that enable command injection at system entry points.

References