An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.
The file upload function in Interinfo DreamMaker does not properly verify the type of uploaded files, which corresponds to the CWE-434 classification (Unrestricted Upload of File with Dangerous Type). An attacker can upload a malicious Java class file to the server via the network interface without requiring authentication. Once the file is placed on the server, it can be executed, leading to the execution of arbitrary system commands in the context of the application server.
An unauthenticated remote attacker can gain full control over the server operating system, including executing arbitrary commands, reading and modifying data, and potentially conducting lateral movement within the internal network.
Interinfo DreamMaker should be updated to the version released on 2025/10/22 or later. Detailed information is available in the vendor's references and in the ZUSO Advisory ZA-2026-02 message at https://zuso.ai/advisory/za-2026-02
Interinfo DreamMaker in all versions released before 2025/10/22
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X