External risk intelligence

R-SOFT DMS OCR OS Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-41880

The vulnerability exists in an OCR module within a document management system. While the system may be internet-accessible, the specific exploit requires an authenticated user to trigger the functionality, and standard web upload flows include encoding that neutralizes the injection, making public internet exploitation less straightforward.

OS Command Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

R-SOFT DMS has a critical vulnerability in its Optical Character Recognition module that could allow an authenticated attacker to execute operating system commands with root privileges. While standard upload processes mitigate this risk, triggering the OCR functionality directly bypasses these protections, posing a significant security concern for systems that utilize this feature.

  • Command injection in document processing.
  • Potential for unauthorized system control.
  • Confirm relevance and exposure of OCR module.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to R-SOFT DMS could trigger the Optical Character Recognition (OCR) module. By carefully crafting a file path, they could bypass security checks and inject operating system commands. If successful, these commands would execute with root privileges, potentially allowing the attacker to take full control of the system.

  • Requires authenticated access.
  • Triggered by using the OCR module.
  • Risk of root-level command execution.

Live Threat

Current exploitation, exposure, and threat context

The Optical Character Recognition (OCR) module in R-SOFT DMS could allow an authenticated attacker to execute operating system commands as a root user. This may occur when the attacker can trigger the OCR functionality for an uploaded file, and when specific infrastructure conditions do not neutralize the injection via URL encoding.

  • Root user privileges and system access at risk.
  • Triggering OCR on an uploaded file.
  • Potential for unauthorized system command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The R-SOFT DMS document management system's OCR module is susceptible to OS command injection, potentially allowing an authenticated, but unprivileged, attacker to execute commands as root. Given that this vulnerability requires triggering specific functionality after authentication and that some standard upload flows neutralize the injection, the immediate priority is to identify instances of R-SOFT DMS, confirm their exposure and criticality, and assign ownership for remediation.

  • Application owners own the vulnerability.
  • Verify OCR module reachability and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is R-SOFT DMS?

R-SOFT DMS is a document management system designed to organize, store, and process digital files. It includes an Optical Character Recognition (OCR) module, which is a specialized component used to extract and convert text from images or scanned documents into machine-readable data, facilitating easier searching and management of documents within the system.

What does CVE-2026-41880 mean for system security?

This vulnerability is classified as OS Command Injection (CWE-78). It means the OCR module fails to properly validate user-supplied file paths before passing them to the system shell. If exploited, an attacker can force the server to run unauthorized system commands. Because these commands execute with root-level privileges, a successful attack could provide full control over the underlying operating system.

How is this OS command injection triggered?

An attacker must be authenticated to the system and specifically trigger the OCR functionality for a malicious file. Notably, simply uploading a file via the standard web interface is generally insufficient; the system's built-in URL encoding currently neutralizes the attack path during those routine upload flows. The vulnerability specifically activates when the application bypasses these protections to process files through the OCR module.

Is my system at risk if it faces the internet?

Halo Surface Signal indicates that while the system may be internet-facing, the requirement for authentication and the specific conditions needed to bypass standard URL encoding make direct exploitation from the public internet less straightforward. You should focus on environments where users have authenticated access to document management features, as those internal pathways present the most likely route for exploitation.

What should I do to address this vulnerability?

First, identify all instances of R-SOFT DMS within your infrastructure and determine if the OCR module is enabled or reachable. Verify your current software version, as the vendor has released patches in versions v3.19-2862 and v3.17-2580 to resolve this flaw. Coordinate with your application owners to prioritize upgrading to these versions to eliminate the risk of unauthorized root-level command execution.

References