The CERT Coordination Center has disclosed serious security vulnerabilities affecting Partner Software and Partner Web applications widely used by municipalities, state governments, and private contractors for field operations and GIS-related work.
These vulnerabilities, tracked as CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078, pose significant risks to organizations relying on these platforms for critical infrastructure management.
Multiple Attack Vectors Enable System Compromise
The vulnerabilities stem from inadequate input sanitization mechanisms within the applications’ file upload and note-taking functionalities.
CVE-2025-6076 represents the most severe flaw, where Partner Web’s Reports tab fails to sanitize uploaded files, enabling authenticated attackers to upload malicious payloads that execute arbitrary code on victim servers.
This remote code execution (RCE) capability allows attackers to gain complete control over affected systems.
Complementing this attack vector, CVE-2025-6078 exposes a stored cross-site scripting (XSS) vulnerability in the Notes section of the Job view.
Attackers can inject malicious JavaScript code through HTML tags, compromising user sessions and potentially escalating privileges.
The third vulnerability, CVE-2025-6077, reveals that Partner Web applications ship with identical default administrator credentials across all versions, providing an easy entry point for unauthorized access.
Patch Available as Organizations Rush to Secure Systems
Partner Software has released version 4.32.2 to address these critical security flaws.
The patch implements comprehensive security improvements, including the removal of default Admin and Edit user accounts, enhanced input sanitization for the Notes section, restricting content to plain text, and strict file upload controls limiting attachments to specific formats, including .csv, .jpg, .png, .txt, .doc, and .pdf files.
Additionally, the updated version ensures uploaded files are displayed rather than executed, preventing code execution attacks.
The vulnerability disclosure originated from Ryan Pohlner at the Cybersecurity and Infrastructure Security Agency (CISA), highlighting the collaborative effort between federal cybersecurity authorities and private software vendors.
Organizations running affected versions (4.32 and earlier) should immediately upgrade to version 4.32.2 to mitigate these risks.
The Software Engineering Institute emphasizes that these vulnerabilities could compromise devices used in critical infrastructure operations, making rapid remediation essential for maintaining operational security.
Given Partner Software’s widespread adoption across government and contractor networks, security administrators should prioritize this update as part of their vulnerability management programs.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=These vulnerabilities, tracked as CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078, pose significant risks to organizations relying on these platforms for critical infrastructure management.){kind=link}