NewSoftOA Command Injection Lets Local Attackers Own Servers

A critical OS command injection vulnerability in NewSoftOA allows unauthenticated local attackers to execute arbitrary commands on affected servers. CVE-2026-5965, published April 21, 2026, carries a CVSS score of 9.8—making this a patch-now situation for any organization running NewSoftOA in their environment.

The vulnerability requires only local access to exploit. No authentication needed. An attacker who can reach the server can inject commands and achieve complete system compromise.

Technical Breakdown

OS command injection vulnerabilities occur when applications construct system commands using unsanitized external input. In CVE-2026-5965, NewSoftOA processes user-supplied input and incorporates it directly into a command executed by the server without proper validation or escaping.

The attack is straightforward:

1. Attacker with local network access sends crafted input to a vulnerable NewSoftOA endpoint
2. NewSoftOA fails to sanitize this input before passing it to the operating system
3. The injected commands execute with the same privileges as the NewSoftOA process
4. Attacker gains arbitrary command execution on the underlying server

What makes this particularly dangerous is the lack of authentication requirements. Many command injection vulnerabilities require some level of authenticated access first. CVE-2026-5965 removes that barrier entirely—local network access is sufficient.

Impact Assessment

Successful exploitation gives attackers full control over the system running NewSoftOA. This includes:

• Complete confidentiality breach - Access to all data on the server
• Integrity compromise - Ability to modify files, configurations, and software
• Availability impact - Capability to disrupt or destroy services

The "local access" requirement limits the attack surface somewhat—remote exploitation over the internet isn't directly possible. But in enterprise environments with flat networks, an attacker who compromises any internal system could pivot to target NewSoftOA installations. This is exactly how lateral movement enabled the SAP BPC breach we covered last week.

No Affected Versions Listed

The advisory notably fails to specify which NewSoftOA versions contain this vulnerability. Researchers should assume the latest version is vulnerable unless the vendor explicitly states otherwise through a security bulletin.

This ambiguity complicates the remediation process. Organizations can't simply check a version number against a known-bad list. Instead, they need to either:

• Contact NewSoft directly for patch information
• Monitor for a vendor security advisory
• Consider taking NewSoftOA offline until clarity emerges

Recommended Actions

1. Identify all NewSoftOA installations in your environment
2. Review network access - Limit which systems can reach NewSoftOA servers
3. Monitor for patches - Check NewSoft's security communications for updates
4. Enable logging - Ensure command execution and access logs are captured
5. Segment networks - Isolate NewSoftOA servers from general user networks

For organizations that cannot immediately patch, network-level controls offer temporary mitigation. Restricting which hosts can communicate with NewSoftOA servers limits the pool of potential attackers to only those with access to permitted systems.

Why This Matters

Command injection vulnerabilities should be extinct. It's 2026, and we've known how to prevent this class of bug since the 1990s: parameterized commands, input validation, least-privilege execution. Yet critical command injection flaws keep appearing in enterprise software.

The pattern suggests vendors are still shipping products without adequate security review. When CISA recently added eight new vulnerabilities to its KEV catalog, several were command injection variants—a reminder that this bug class remains actively exploited despite being entirely preventable.

Organizations deploying any server software need to assume vulnerabilities exist and plan accordingly. That means network segmentation, monitoring, and incident response capabilities—because patches won't always arrive before attackers figure out how to exploit flaws like CVE-2026-5965.