Cyber Resilience

CVE-2026-4170

HighRCE

Published: 16 March 2026

Published
16 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0207 79.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4170 is a high-severity Command Injection (CWE-77) vulnerability in Feishu (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4170 is an OS command injection vulnerability affecting Topsec TopACM 3.0. The issue resides in an unknown functionality of the file /view/systemConfig/management/nmc_sync.php within the HTTP Request Handler component. By manipulating the template_path argument in an HTTP request, an attacker can inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Remote attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise. An exploit is publicly available and could be used in attacks.

Advisories from sources like VulDB note that the vendor was contacted early about the disclosure but did not respond, implying no official patches or mitigations are available at this time. Security practitioners should review the referenced advisories for additional details.

Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed Topsec TopACM 3.0 instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection.…

more

The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated OS command injection in a public-facing web application (HTTP Request Handler) directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7062Shared CWE-77, CWE-78
CVE-2025-1676Shared CWE-77, CWE-78
CVE-2026-1544Shared CWE-77, CWE-78
CVE-2025-1536Shared CWE-77, CWE-78
CVE-2025-59740Shared CWE-77, CWE-78
CVE-2026-7590Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2025-59736Shared CWE-77, CWE-78
CVE-2026-2544Shared CWE-77, CWE-78
CVE-2025-44015Shared CWE-77, CWE-78

Affected Assets

Feishu
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by enforcing input validation mechanisms on the template_path parameter in HTTP requests to block malicious command payloads.

prevent

Enforces approved authorizations on the vulnerable /view/systemConfig/management/nmc_sync.php endpoint, blocking unauthenticated remote access required for exploitation.

preventrecover

Mandates timely identification, reporting, and correction of the specific command injection flaw in Topsec TopACM 3.0, including workarounds given lack of vendor patch.

References