Taiwan CERT flags critical OS command injection in NewSoftOA (CVE-2026-5965), patch available

Posted on Author Steve Granger 0

Answer Brief

TWCERT/CC published a critical vulnerability notice for NewSoftOA, an office automation product from NewSoft (力新國際). The issue, tracked as CVE-2026-5965 and TVN-202604008, is an OS command injection flaw with a CVSS 3.1 score of 9.8. TWCERT/CC recommends upgrading to NewSoftOA 10.1.8.3 or later to address the risk.

Abstract network architecture graphic highlighting a critical command injection risk path to a server node with a risk heatmap overlay.

Executive Summary: TWCERT/CC published a critical vulnerability notice for NewSoftOA, an office automation product from NewSoft (力新國際). The issue, tracked as CVE-2026-5965 and TVN-202604008, is an OS command injection flaw with a CVSS 3.1 score of 9.8. TWCERT/CC recommends upgrading to NewSoftOA 10.1.8.3 or later to address the risk.

Why It Matters

TWCERT/CC’s advisory describes a severe OS command injection vulnerability in NewSoftOA with a 9.8 CVSS score, indicating a high-likelihood, high-impact scenario if exploitation is possible in real deployments. The CVSS vector published by TWCERT/CC (AV:N/AC:L/PR:N/UI:N) suggests remote, low-complexity exploitation without authentication or user interaction; if accurate for exposed instances, this class of bug can enable direct command execution, which commonly translates into rapid server compromise and follow-on access to adjacent systems.

Although NewSoftOA is a Taiwan-origin product, the signal matters globally for security and infrastructure teams for two reasons. First, office automation and workflow platforms frequently sit on internal networks with broad integration to file shares, identity systems, and business processes, making them valuable pivot points. Second, vulnerabilities disclosed through regional CERT channels (like Taiwan’s TVN) can be early indicators for defenders outside the region—especially for multinational organizations with East Asia subsidiaries, shared service centers, or inherited line-of-business applications.

TWCERT/CC states the issue affects versions prior to 10.1.8.3 and recommends upgrading to 10.1.8.3 or later. The vulnerability was reported by Ting-Wei Hsieh of CHT Security. The advisory text does not provide exploit details, exposed endpoints, or evidence of active exploitation, so any operational conclusions beyond patch prioritization would be speculative based solely on the notice.

Event Type: security
Importance: high

Affected Companies

  • CHT Security
  • NewSoft (力新國際)

Affected Sectors

  • Cybersecurity
  • Enterprise Software
  • IT Operations

Key Numbers

  • CVSS v3.1 score: 9.8 (Critical)
  • Affected versions: NewSoftOA versions earlier than 10.1.8.3
  • Fixed version: 10.1.8.3 and later
  • Attack vector (CVSS): AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

  1. TWCERT/CC publishes TVN-202604008 for NewSoftOA OS command injection (CVE-2026-5965).

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *