Full Report
Unauthenticated Remote Code Execution (CVE-2026-6847) has been found in 4real ThemisNETPanel software.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in 4real ThemisNETPanel
## CVE Details
- **CVE ID:** CVE-2026-6847
- **CVSS Score:** 9.8 (Critical) - *Estimated based on unauthenticated RCE impact*
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** 4real ThemisNETPanel
- **Versions:** All versions released prior to April 2026
- **Configurations:** Systems exposing the web-based management panel to the network/internet.
## Vulnerability Description
A Remote Code Execution (RCE) vulnerability exists in ThemisNETPanel due to a failure to enforce authentication on a critical file upload endpoint. The application exposes an interface that allows an attacker to transmit a base64-encoded payload. Because the system does not verify the identity or authorization of the requester, an unauthenticated user can upload arbitrary PHP files to the server. Once uploaded, these files can be accessed via the web server to execute arbitrary code with the privileges of the web service.
## Exploitation
- **Status:** PoC available (coordinated disclosure completed)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to server data and files)
- **Integrity:** High (Ability to modify system files and database content)
- **Availability:** High (Potential for system deletion, ransomware, or service disruption)
## Remediation
### Patches
- **Update to Version 04.2026 or later:** The vendor released a patch in April 2026 that implements the necessary authentication checks for the file upload function. Organizations should verify their current version and update immediately.
### Workarounds
- **Network Segmentation:** Restrict access to the ThemisNETPanel web interface to trusted internal IP addresses or via a VPN.
- **Web Application Firewall (WAF):** Implement rules to block suspicious base64 payloads or unauthorized POST requests to file-uploading endpoints.
- **Disable File Execution:** Configure the web server to disable the execution of PHP scripts in the directories used for user-uploaded content.
## Detection
- **Indicators of Compromise:** Look for unexpected PHP files in web directories, particularly those containing obfuscated code or web shells.
- **Log Analysis:** Review web server access logs for unusual POST requests to upload endpoints originating from unknown or external IP addresses.
- **Tooling:** Use file integrity monitoring (FIM) to detect the creation of new executable files in the web root.
## References
- **Vendor Advisory:** hxxps[://]cert[.]pl/en/posts/2026/07/vulnerability-in-4real-themisnetpanel/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-6847
- **CWE Definition:** hxxps[://]cwe[.]mitre[.]org/data/definitions/306[.]html