External risk intelligence

Eclipse BaSyx SDK Arbitrary File Write via AAS Thumbnail API

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-57898

The vulnerability exists in an API endpoint (AAS thumbnail API) within a server SDK typically used to build internet-facing or network-accessible industrial/web services. As an API endpoint that processes user-supplied file operations, it is commonly exposed in web-based deployments of the SDK.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Eclipse BaSyx Java Server SDK allows unauthenticated attackers to write arbitrary files to the server by exploiting the AAS thumbnail API, potentially leading to remote code execution if the MongoDB backend is used. The main concern is confirming relevance and exposure, as the vulnerability lies within an API commonly exposed in web-based deployments.

  • Unauthenticated file writes possible via thumbnail API.
  • Critical vulnerability could lead to code execution.
  • Confirm relevance and exposure of affected systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to the AAS thumbnail API, bypassing authentication. This API, when configured with a MongoDB backend, mishandles filenames, treating them as both storage keys and file paths. By providing an absolute or traversal-style filename, an attacker could cause arbitrary files to be written to the server's filesystem, potentially leading to code execution.

  • Unauthenticated network access needed.
  • Uploading a malicious filename to the API.
  • Arbitrary file write on server.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, deployments using the MongoDB backend could allow an unauthenticated remote attacker to write arbitrary files to the server's filesystem by exploiting the AAS thumbnail API. This could potentially lead to remote code execution, affecting any data or system the Java process has write permissions for.

  • Arbitrary file writes on the server.
  • Malicious filenames in API requests.
  • Potential for remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for application platforms and infrastructure hosting the Eclipse BaSyx Java Server SDK should prioritize identifying affected deployments. The first practical move is to locate all instances, determine their exposure and criticality, and identify the accountable owner for remediation planning.

  • Own by application or platform team.
  • Verify MongoDB backend usage and reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Eclipse BaSyx Java Server SDK?

Eclipse BaSyx is a software framework designed to implement Industry 4.0 components, such as Asset Administration Shells (AAS). It provides developers with the building blocks to manage digital twins and interoperate between industrial assets and IT systems. The Java Server SDK specifically offers the infrastructure to host these shells as web services, utilizing various backend storage options to manage the associated data and files.

What does CVE-2026-57898 mean for system security?

This vulnerability is classified as Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and External Control of File Name (CWE-73). In plain terms, the software fails to properly sanitize user-provided filenames. This allows an attacker to manipulate the file path, escaping the intended storage location to write files elsewhere on the server's filesystem, which can result in the attacker gaining unauthorized control over the system.

How does an attacker trigger this file write?

An attacker sends a request to the AAS thumbnail API containing a malicious filename, such as one using directory traversal sequences or absolute paths. When the MongoDB backend is active, the system incorrectly processes this name as a filesystem path instead of just a database key. Importantly, deployments using the default InMemory backend are not susceptible because that configuration correctly restricts file paths to a safe, designated temporary directory.

Is my system at risk for this vulnerability?

Halo Surface Signal indicates that because this vulnerability resides in an API endpoint frequently used for web-based services, systems that are internet-facing or widely accessible on your network are at higher risk. You should specifically check if your BaSyx deployments are configured to use the MongoDB backend, as this is the critical requirement for the vulnerability to be exploitable.

What should I do to address this issue?

The immediate priority is to identify all running instances of the Eclipse BaSyx Java Server SDK within your infrastructure. Once identified, verify which deployments rely on the MongoDB backend. Work with your application owners to confirm their current version and plan for an update to version 2.0.0-milestone-13, which contains the necessary security fixes to remediate this flaw.

References