A critical vulnerabilities in Partner Software and Partner Web applications that pose significant risks to government agencies and municipal organizations across the United States.
The vulnerabilities allow authenticated attackers to execute arbitrary code on compromised systems, potentially granting complete control over affected infrastructure.
Partner Software, a subsidiary of N. Harris Computer Corporation, develops field mapping and management applications widely used by municipalities, state governments, and private contractors for GIS-related work and field operations.
Three distinct vulnerabilities, discovered by Ryan Pohlner from the Cybersecurity and Infrastructure Security Agency (CISA), create a dangerous attack chain that could compromise entire government systems.
CVE-2025-6076 represents the most severe vulnerability, allowing authenticated users to upload malicious files through the Reports tab without any file type restrictions or content sanitization.
Since the software typically runs with SYSTEM privileges, successful exploitation grants attackers the highest level of access to the compromised device.
The unrestricted file upload capability means attackers can deploy various malicious payloads, including executable files that can establish persistent access or deploy additional malware.
CVE-2025-6077 compounds the security risk by revealing that all versions of Partner Web ship with identical default administrator credentials across installations.
This configuration weakness provides attackers with a potential entry point into systems where administrators have failed to change the default passwords, effectively bypassing authentication controls entirely.
CVE-2025-6078 enables stored cross-site scripting (XSS) attacks through the Notes feature within job views.
The application fails to properly sanitize HTML and JavaScript input, allowing attackers to inject malicious scripts that execute when other users view the contaminated notes.
This vulnerability can be leveraged to steal user credentials, session tokens, or redirect users to malicious websites.
Vulnerabilities in Partner Software
The vulnerabilities carry particular significance due to Partner Software’s extensive deployment across critical government infrastructure.
The applications support various municipal services including utility management, field inspections, and asset tracking.
Government agencies rely on these systems to manage essential services such as water distribution, electrical grid maintenance, and public works projects.
The combination of these vulnerabilities creates multiple attack vectors for malicious actors.
An attacker could potentially gain initial access through default credentials, upload malicious files to establish persistence, and use XSS attacks to compromise additional user accounts or pivot to other systems within the network.
Given that these applications often handle sensitive infrastructure data and maintain connections to other critical systems, successful exploitation could have cascading effects throughout government operations.
Security experts note that the software’s typical deployment with SYSTEM-level privileges significantly amplifies the potential impact of these vulnerabilities.
This configuration means that successful exploitation immediately grants attackers the highest level of system access, bypassing traditional privilege escalation requirements that might otherwise limit the scope of an attack.
Mitigations
Partner Software has released version 4.32.2 to address all identified vulnerabilities, implementing comprehensive security improvements.
The patch removes default administrator and edit user accounts entirely, eliminating the risk posed by shared default credentials.
Additionally, the Notes section now employs strict input sanitization that restricts content to plain text only, preventing XSS attacks.
The file upload functionality has been significantly restricted in the patched version, limiting acceptable file types to safer formats including .csv, .jpg, .png, .txt, .doc, and .pdf files.
Importantly, the system now treats uploaded files as read-only documents rather than executing them, preventing the deployment of malicious code through file uploads.
Organizations using Partner Software versions 4.32 and earlier should immediately upgrade to version 4.32.2 to protect against these vulnerabilities.
The security updates also include improvements to underlying components such as Apache, MariaDB, PHP, and other core technologies to address additional potential security concerns.
Given the critical nature of these vulnerabilities and their potential impact on government operations, security experts recommend treating this update as an emergency patch requiring immediate deployment across all affected systems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
