Answer Brief
TWCERT/CC disclosed three vulnerabilities affecting WeiQiao Information’s “Single Sign-On and Electronic Directory Service System” (單一簽入暨電子目錄服務系統). Two medium-severity issues are open redirect (CVE-2026-3824) and reflected XSS (CVE-2026-3825), both described as exploitable by authenticated remote attackers via user interaction. A critical issue, CVE-2026-3826 (CVSS 9.8), is a local file inclusion flaw described as exploitable by an unauthenticated remote attacker and could enable server-side arbitrary code execution. TWCERT/CC recommends upgrading to IFTOP_P4_181 or later; versions before IFTOP_P4_181 are affected.
Executive Summary: TWCERT/CC disclosed three vulnerabilities affecting WeiQiao Information’s “Single Sign-On and Electronic Directory Service System” (單一簽入暨電子目錄服務系統). Two medium-severity issues are open redirect (CVE-2026-3824) and reflected XSS (CVE-2026-3825), both described as exploitable by authenticated remote attackers via user interaction. A critical issue, CVE-2026-3826 (CVSS 9.8), is a local file inclusion flaw described as exploitable by an unauthenticated remote attacker and could enable server-side arbitrary code execution. TWCERT/CC recommends upgrading to IFTOP_P4_181 or later; versions before IFTOP_P4_181 are affected.
Why It Matters
This TWCERT/CC advisory is a high-signal identity and access risk item because the affected product is positioned as an SSO and electronic directory service system—components that often sit in front of broad enterprise application estates. While the advisory does not state how widely deployed the product is, identity gateways and directory-adjacent services are typically high-value targets due to their role in authentication flows, session handling, and user redirection.
The most consequential issue is CVE-2026-3826, scored 9.8 (Critical) with a vector consistent with unauthenticated, network-reachable exploitation. TWCERT/CC describes it as a local file inclusion (LFI) weakness that could allow an unauthenticated remote attacker to achieve server-side arbitrary code execution. If accurate for a given deployment, this elevates the risk from user-targeted social engineering to potential direct compromise of the server hosting the SSO/directory service, with downstream implications for authentication trust and access paths.
The other two vulnerabilities—CVE-2026-3824 (open redirect) and CVE-2026-3825 (reflected XSS)—are scored 6.1 (Medium) and described as requiring an authenticated attacker and user interaction. In identity-centric web applications, redirect and XSS issues can be especially useful as enablers for phishing and session abuse because they can make malicious links appear to originate from a trusted SSO portal domain. Even when “only” medium severity, these classes of bugs can materially increase the success rate of credential-harvesting campaigns when paired with convincing login flows.
For global security and cloud/infra teams, the Taiwan-local disclosure matters because many multinational organizations operate regional identity infrastructure or subsidiaries that may procure local IAM/SSO solutions. Additionally, identity services often integrate with cloud apps and on-prem systems, meaning a compromise in a regional SSO front door can have cross-environment blast radius. The advisory’s mitigation is straightforward—upgrade to IFTOP_P4_181 or later—but the key operational takeaway is to treat identity edge services as Tier-0 assets and ensure vulnerability intake processes include regional CERT disclosures, not only major global vendor bulletins.
Event Type: security
Importance: high
Affected Companies
- WeiQiao Information (葳橋資訊)
Affected Sectors
- Cybersecurity
- Enterprise IT
- IAM/SSO
- Identity
Key Numbers
- TVN ID: TVN-202603005
- CVE: CVE-2026-3824
- CVE: CVE-2026-3825
- CVE: CVE-2026-3826
- CVSS (CVE-2026-3824): 6.1 (Medium)
- CVSS (CVE-2026-3825): 6.1 (Medium)
- CVSS (CVE-2026-3826): 9.8 (Critical)
- Affected versions: Earlier than IFTOP_P4_181
- Fixed version: IFTOP_P4_181 and later
- Public disclosure date: 2026-03-11
Timeline
- TWCERT/CC publishes TVN-202603005 detailing three vulnerabilities (CVE-2026-3824/3825/3826) and recommends upgrading to IFTOP_P4_181 or later.