Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202604-00000026

[Content Description]
【BorG Technology Corporation｜Borg SPM 2007 - Arbitrary File Upload】(CVE-2026-6885, CVSS: 9.8) An unauthenticated remote attacker can upload and execute a web backdoor program, thereby executing arbitrary code on the server.

【BorG Technology Corporation｜Borg SPM 2007 - Authentication Bypass】(CVE-2026-6886, CVSS: 9.8) An unauthenticated remote attacker can allow any user to log in to the system.

【BorG Technology Corporation | Borg SPM 2007 - SQL Injection】(CVE-2026-6887, CVSS: 9.8) An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database contents.

[Affected Platforms]
Borg SPM 2007 (discontinued in 2008)

[Recommended Actions]
Regardless of the system version, customers with ongoing maintenance contracts should contact the vendor for assistance with patching or upgrading to the latest version (SPM2025 SP1 has passed source code testing).

Users who have not signed a maintenance contract and are still using this version of the system should contact the vendor to discuss further action.

[References]
1. https://www.twcert.org.tw/tw/cp-132-10861-b8709-1.html