{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/borg-technology-corporation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6885"}],"_cs_exploited":false,"_cs_products":["SPM 2007"],"_cs_severities":["critical"],"_cs_tags":["file-upload","web-shell","code-execution"],"_cs_type":"advisory","_cs_vendors":["BorG Technology Corporation"],"content_html":"\u003cp\u003eBorg SPM 2007, a product by BorG Technology Corporation with sales ending in 2008, is vulnerable to arbitrary file uploads (CVE-2026-6885). This vulnerability allows unauthenticated remote attackers to upload malicious files, such as web shells, which can then be executed by the server. The attacker can then achieve arbitrary code execution, leading to a compromise of the system. Given the age of the software, it is likely running on outdated systems with fewer security controls making successful exploitation highly probable. This poses a significant risk to organizations still using this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Borg SPM 2007 server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the server, exploiting the file upload vulnerability (CVE-2026-6885).\u003c/li\u003e\n\u003cli\u003eThe POST request contains a malicious file, such as a PHP web shell, disguised with a permissible extension or without any extension check.\u003c/li\u003e\n\u003cli\u003eThe Borg SPM 2007 server saves the uploaded file to a publicly accessible directory, without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to access the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web server executes the web shell code, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to gain a persistent foothold, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable server. This can lead to full system compromise, data theft, and potential disruption of services. While the number of active installations is likely low due to the product\u0026rsquo;s end-of-life status in 2008, organizations still running Borg SPM 2007 are at high risk if the system is exposed to the Internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify instances of Borg SPM 2007 running in your environment and isolate them from the network if possible.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential web shell uploads based on HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eSince no patch exists, consider immediate decommissioning or migration to a supported alternative.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:16:18Z","date_published":"2026-04-23T10:16:18Z","id":"/briefs/2026-04-borg-spm-file-upload/","summary":"An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.","title":"Borg SPM 2007 Arbitrary File Upload Vulnerability (CVE-2026-6885)","url":"https://feed.craftedsignal.io/briefs/2026-04-borg-spm-file-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — BorG Technology Corporation","version":"https://jsonfeed.org/version/1.1"}