External risk intelligence

LimRAD NAC Unrestricted File Upload Vulnerability Allows Remote Code Inclusion

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7852

An unrestricted file upload vulnerability in LimRAD NAC allows remote code inclusion, potentially enabling unauthorized access and control. This issue poses a risk if the system is reachable, as it could lead to compromised system integrity and arbitrary command execution. Leaders should focus on identifying affected i

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-7852

LimRAD NAC (Network Access Control) is a network infrastructure appliance designed to manage and control access to network resources. Such systems are typically deployed as gateways or edge services to enforce security policies, making their management interfaces or service portals frequently reachable from the network edge or directly exposed to facilitate remote access and authentication.

PCI scan relevance

PCI Relevance for CVE-2026-7852

Yes

CVE-2026-7852 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for remote code inclusion, which is an automatic fail condition for PCI ASV scans, regardless of its CVSS score.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker to upload a dangerous file type to the LimRAD NAC system, potentially leading to remote code inclusion. This could permit unauthorized access and control of the network access control system. The main concern is confirming relevance and exposure, as critical infrastructure components like Network Access Control systems can be attractive targets.

Unrestricted file upload could enable remote code execution.
Critical network access control systems are a potential target.
Confirming relevance and exposure is the primary leadership concern.

Attack Path

How an attacker could exploit the issue

An attacker can leverage an unrestricted file upload vulnerability in the LimRAD NAC system to include malicious code remotely. This could potentially allow them to execute arbitrary commands or gain unauthorized access to the system.

No authentication required.
Uploading a specially crafted file.
Remote code inclusion.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in LimRAD NAC could allow an attacker to include malicious code on a system, potentially leading to unauthorized access and control. This could occur when the system is exposed to the network and an attacker can leverage the unrestricted file upload feature to execute arbitrary commands.

Remote code inclusion could occur.
Upload of dangerous file types.
Compromise of system integrity.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The LimRAD NAC is a network access control system, likely managed by network or security teams. The first practical step is to identify all instances of LimRAD NAC within your environment, determine their network exposure and business criticality, and then confirm the accountable owner for remediation.

Network or security teams own this.
Verify LimRAD NAC exposure and criticality.
Plan remediation during a maintenance window.

Frequently asked questions

What is LimRAD NAC?

LimRAD NAC is a Network Access Control appliance. Organizations use it as a gatekeeper to manage, authenticate, and enforce security policies for devices attempting to connect to network resources. Because it acts as an infrastructure gateway, it often sits at the network edge to facilitate connectivity for users and systems.

What does CWE-434 mean for CVE-2026-7852?

CWE-434 refers to an Unrestricted Upload of File with Dangerous Type. In the context of this CVE, it means the LimRAD NAC software lacks sufficient checks on the types of files users can upload to the system. An attacker can exploit this weakness to upload malicious code that the system then incorrectly processes or executes.

How does an attacker trigger this vulnerability?

An attacker triggers this by uploading a specially crafted, malicious file to the LimRAD NAC system. Importantly, the vulnerability does not require the attacker to have valid login credentials; they can initiate the upload remotely without authentication. Simple, benign file uploads used for normal system administration do not trigger the bug.

Do I need to worry about this if my system is internal?

Halo Surface Signal indicates that LimRAD NAC systems are often deployed as gateways or edge services, meaning they are frequently reachable from the network edge. If your instance is directly exposed to the internet, it is at higher risk. Even for internal systems, you should assess the risk based on the potential impact if a compromised user or device on your network were to target this appliance.

What should I do first to address CVE-2026-7852?

Start by identifying all instances of LimRAD NAC in your environment and confirming their version numbers. Verify if your specific installations are running versions older than 5.5.7.3.9, which are the affected releases. Once identified, work with the accountable system owners to prioritize these assets for updates and plan the necessary remediation during your next available maintenance window.

References

siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0366

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.