CVE-2025-9846
Published: 23 September 2025
Summary
CVE-2025-9846 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gov (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9846 is an Unrestricted Upload of File with Dangerous Type vulnerability in Inka.Net, a product of TalentSys Consulting Information Technology Industry Inc. The flaw enables command injection and affects Inka.Net versions prior to 6.7.1. It is associated with CWE-434 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows command injection, resulting in high impacts to confidentiality, integrity, and availability, including potential full system compromise due to the changed scope.
The Turkish National Cyber Incident Response Center (USOM) advisory at https://www.usom.gov.tr/bildirim/tr-25-0288 provides further details on this issue. Upgrading to Inka.Net 6.7.1 or later resolves the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30891
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection. This issue affects Inka.Net: before 6.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload with dangerous type on public-facing Inka.Net web app directly enables remote unauthenticated exploitation (T1190) leading to command injection (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents unrestricted uploads of dangerous file types by enforcing validation of file content, type, and source at upload input points, blocking command injection exploits.
SI-2 requires identification, reporting, and correction of the specific software flaw in Inka.Net versions before 6.7.1, with timely patching to eliminate the vulnerability.
SI-3 mitigates exploitation by scanning for and eradicating malicious code in uploaded dangerous files that enable command injection at system entry points.