Cyber Resilience

CVE-2026-32989

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 11.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32989 is a high-severity CSRF (CWE-352) vulnerability in Precurio Intranet Portal. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32989 is a cross-site request forgery (CSRF) vulnerability in Precurio Intranet Portal version 4.4. The issue resides in the profile update endpoint that handles file uploads, allowing attackers to induce authenticated users into submitting crafted requests. This enables the upload of executable files to web-accessible locations, resulting in arbitrary code execution in the context of the web server. Published on 2026-03-20, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-352 (Cross-Site Request Forgery) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

The attack requires network access with low complexity and no privileges from the attacker, but relies on user interaction, such as an authenticated user visiting a malicious webpage. An attacker crafts a malicious request targeting the vulnerable endpoint; when the victim interacts with it (e.g., via a forged link or form), their browser automatically submits the request using their session credentials. Successful exploitation grants arbitrary code execution as the web server, potentially allowing full server compromise, data theft, or further lateral movement.

Advisories providing additional details, potential patches, and mitigation guidance are available at https://www.packetstorm.news/files/id/215644/ and https://www.precurio.com. Security practitioners should review these sources promptly for vendor-recommended updates and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations,…

more

leading to arbitrary code execution in the context of the web server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CSRF + unrestricted file upload directly enables remote exploitation of the web portal for initial access (T1190) and deployment of executable web shells in accessible directories for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

precurio
intranet portal
4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CSRF vulnerability by enforcing session authenticity mechanisms such as anti-CSRF tokens on the profile update endpoint.

prevent

Prevents unrestricted upload of executable files by validating file inputs for type, content, and dangerous extensions on the vulnerable endpoint.

preventdetect

Blocks or detects malicious executable files uploaded to web-accessible locations, preventing arbitrary code execution in the web server context.

References