Answer Brief
TWCERT/CC published a Taiwan Vulnerability Note (TVN-202603007) describing two high-severity vulnerabilities affecting Galaxia Information’s Vitals ESP up to and including version 6.3. One issue could allow an authenticated remote attacker to perform some admin functions and escalate privileges (CVE-2026-4639, CVSS 8.8). The other could allow an unauthenticated remote attacker to access some functions and obtain sensitive information (CVE-2026-4640, CVSS 7.5). TWCERT/CC advises customers to contact the vendor for a patch.
Executive Summary: TWCERT/CC published a Taiwan Vulnerability Note (TVN-202603007) describing two high-severity vulnerabilities affecting Galaxia Information’s Vitals ESP up to and including version 6.3. One issue could allow an authenticated remote attacker to perform some admin functions and escalate privileges (CVE-2026-4639, CVSS 8.8). The other could allow an unauthenticated remote attacker to access some functions and obtain sensitive information (CVE-2026-4640, CVSS 7.5). TWCERT/CC advises customers to contact the vendor for a patch.
Why It Matters
This advisory is a concrete signal for identity and access control risk in enterprise software used in Taiwan’s market. The two issues cover both sides of access control failure: (1) incorrect authorization that can let a logged-in attacker reach administrative capabilities and potentially escalate privileges, and (2) missing authentication that can expose sensitive information to unauthenticated remote access. Together, they indicate that organizations running Vitals ESP should treat the product as an externally reachable attack surface where misconfigurations or internet exposure could quickly amplify impact.
For global security and cloud infrastructure teams, the Taiwan CERT disclosure matters in three ways. First, the CVSS vectors (network exploitable, low complexity, no user interaction) suggest these are the types of weaknesses that can be operationally significant when a service is reachable from untrusted networks. Second, the combination of authorization and authentication failures tends to map directly to identity governance concerns: privilege boundaries may not be consistently enforced, and some data may be retrievable without login. Third, the report credits a well-known Taiwan security research organization (DEVCORE) for reporting, which often indicates the findings are based on hands-on technical validation even though exploit details are not provided in the note.
TWCERT/CC’s remediation guidance is vendor-directed—customers are told to contact the vendor for fixes—so patch availability, fixed versions, and any mitigations are not confirmed in the advisory itself. Security programs tracking third-party application risk should ensure asset inventories can identify Vitals ESP instances and associated versions, and that patch/upgrade coordination can be prioritized accordingly.
Event Type: security
Importance: high
Affected Companies
- DEVCORE
- Galaxia Info (叡揚資訊)
- TWCERT/CC
Affected Sectors
- Cybersecurity
- Enterprise IT
- Government/Regulatory
Key Numbers
- TVN ID: TVN-202603007
- Affected product: Vitals ESP (versions ≤ 6.3)
- CVE-2026-4639 CVSS: 8.8 (High)
- CVE-2026-4640 CVSS: 7.5 (High)
Timeline
- TWCERT/CC published TVN-202603007 covering CVE-2026-4639 and CVE-2026-4640 affecting Vitals ESP ≤ 6.3.