Overview
Partner Software and Partner Web, both products of their namesake company, Partner Software, fail to sanitize report or note files, allowing for XSS attacks. Partner Software is subdivision of N. Harris Computer Corporation and is a field application development company, with products intended for use by industry, municipalities, state government, and private contractors. An authorized user of Partner Software or Partner Web application can upload “Reports” when viewing a job. The file upload feature does not limit files that can be uploaded or their extensions, allowing an attacker with valid credentials to perform XSS attacks and execute malicious code on the device. The Partner Web product also ships with the same default administrator username and password across versions. An attacker with access to the Partner Web application could abuse these vulnerabilities to perform arbitrary code execution on the hosting device.
Description
Partner Software’s products Partner Software and Partner Web are used by various municipalities, state government, and private contractors for field application work. These products include support for various GIS-related uses, map viewers, and other support tools. The Partner Software and Partner Web products contain various fields for uploading content for analysis by field workers. An authenticated user with access to the Partner Web application could perform RCE through usage of the vulnerabilities.
CVE-2025-6076
Partner Software’s corresponding Partner Web application does not sanitize files uploaded on the Reports tab, allowing an authenticated attacker to upload a malicious file that will be stored on the victim server.
CVE-2025-6077
Partner Software’s corresponding Partner Web application all use the same default username and password for the administrator account.
CVE-2025-6078
Partner Software/Partner Web allows an authenticated user to add text on the Notes page within the Job view, but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript and enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).
Impact
An attacker using these vulnerabilities can either gain administrator access to the device or perform XSS, compromising the device.
Solution
Partner Software has provided a patch for the affected product in version 4.32.2. The Admin and Edit users are now removed in the 4.32.2 patch, and the Notes section now restricts and sanitizes input to only including simple text. Additionally, file attachments allowed include only .csv, .jpg, .png, .txt, .doc, and .pdf files, and will not longer read then files, only display them. The affected versions of Partner Web are 4.32 and previous. Patch information is available here: https://partnersoftware.com/resources/software-release-info-4-32/
Acknowledgements
Thanks to the reporter, Ryan Pohlner (Cybersecurity and Infrastructure Security Agency). for the report and to Partner Software for coordination efforts. This document was written by Christopher Cullen.

Overview
The TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.
Description
A vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.
CVE-2025-6982
TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.
The encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.
Impact
Exploitation of this vulnerability may result in:
Exposure of Sensitive Configuration Data

Admin credentials
Wireless network SSIDs and passwords
Static IPs, DHCP settings, and DNS server details

Network Intelligence Gathering

Internal network structure
Connected device roles and topology
Pre-positioning for further attacks

Ease of Exploitation

Works on default firmware configurations
Does not require the router to be actively running
Primary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.

Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Note: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.
Users are strongly advised to:

Retire and replace the Archer C50 with a supported router model
Avoid using devices with known cryptographic flaws
Secure or delete any exported configuration files
Change passwords if configuration files were exposed or restored from backup

Acknowledgements
Thanks to the researchers Sushant Mane, Jai Bhortake, and Dr. Faruk Kazi from CoE – CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.

Overview
Lakeside Software, an IT digital employee experience platform, offers a product called SysTrack, intended for endpoint observability. This program uses an executable called LsiAgent.exe, which attempts to load various Dynamic Link Library (DLL) files when run. The program does not properly check which files or places from which it loads the DLL files, allowing an attacker to place a malicious DLL file within a known System PATH variable on the victim device. When LsiAgent.exe runs, it will load the malicious code, resulting in code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITYSYSTEM context. A patch has been provided by Lakeside Software, and the vulnerability is fixed in version 10.10.0.42 and higher.
Description
Lakeside Software, an IT digital employee experience company, offers a product called Systems Management Agent (SysTrack) that is intended for endpoint health and performance monitoring. The product contains various different programs and executables that are installed on a device. One of these programs is called LsiAgent.exe, which runs within the context of NT AUTHORITYSYSTEM. Additionally, LsiAgent.exe runs on startup with default installation settings. A vulnerability has been discovered, tracked as CVE-2025-6241, which allows an attacker to achieve elevated code execution through placing malicious DLL files within a known System PATH environment variable, or by bundling the LsiAgent.exe program alongside another malicious DLL. The bundled DLL will be executed when the victim runs the supposedly safe LsiAgent.exe program.
System PATH variable settings are typically manipulated by other programs installed during normal use of a machine. When LsiAgent.exe is executed, it will iterate through the System PATH environment variable to search for a DLL titled ‘wfapi.dll.’ SysTrack uses the wdapi.dll file to verify if the system is running in a virtualized Citrix Environment. During the System PATH iteration process, LsiAgent.exe attempts to load and run the first file named wfapi.dll that it encounters within the System PATH variable. Therefore, an attacker would only need to provide their malicious DLL file named wfapi.dll within one of the System PATH variables to achieve code execution.
Impact
An attacker with the ability to place a file within any known System PATH environment variable on a victim machine can achieve remote code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITYSYSTEM context. Furthermore, LsiAgent.exe is a signed program, so operations carried out by the program will be shown as being done by a legitimate program, heightening potential impact.
Solution
A patch has been provided by Lakeside Software to fix the affected LsiAgent.exe program. The vulnerable version, 10.05.0027, has been fixed in versions 10.10.0.42 and higher of LsiAgent.exe. The release notes of the version are available here: https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/10_10_0%20Hotfix%20Agent%20Release%20Notes%20On%20Premises.htm?tocpath=Release%20Notes%7CAgent%7C_____13
Acknowledgements
Thanks to the reporter Owen Sortwell and contributors Adam Merrill and Brian Healy of Sandia National Laboratories. This document was written by Christopher Cullen.