Answer Brief
Taiwan’s TWCERT/CC disclosed two high-severity vulnerabilities affecting ThreatSonar Anti-Ransomware versions earlier than 4.0.0: an arbitrary file deletion issue via path traversal (CVE-2026-5966) and a privilege escalation flaw enabling OS command injection executed as root (CVE-2026-5967). Both issues require authentication and specific operational access (web or shell). TWCERT/CC recommends installing the vendor patch identified as version 20260302.
Executive Summary: Taiwan’s TWCERT/CC disclosed two high-severity vulnerabilities affecting ThreatSonar Anti-Ransomware versions earlier than 4.0.0: an arbitrary file deletion issue via path traversal (CVE-2026-5966) and a privilege escalation flaw enabling OS command injection executed as root (CVE-2026-5967). Both issues require authentication and specific operational access (web or shell). TWCERT/CC recommends installing the vendor patch identified as version 20260302.
Why It Matters
This disclosure matters because anti-ransomware products often run with elevated privileges and sit close to critical endpoints and server workflows; when flaws exist in the protective layer itself, the product can become a high-leverage target in an attacker’s post-compromise chain.
According to TWCERT/CC, both vulnerabilities are reachable by remote attackers who are already authenticated, but the required access differs: CVE-2026-5966 requires authenticated “web operation” permissions and enables arbitrary file deletion through a path traversal condition. In operational terms, arbitrary file deletion can be used to disrupt services, remove security- or application-critical files, or set up subsequent exploitation paths depending on what the product and host OS allow.
CVE-2026-5967 is described as an authenticated issue requiring “shell operation” permissions, where OS commands can be injected and executed with root privileges. If accurate in real-world deployments, that combination (command injection + root execution) can turn a limited remote foothold into full host control on affected systems.
For global security, cloud, and infrastructure teams, the Taiwan signal is useful for two reasons: (1) TWCERT/CC advisories frequently capture vulnerabilities in products deployed across enterprise environments in East Asia, including in mixed on-prem and hosted infrastructures; and (2) the access prerequisites (“web operation” vs “shell operation”) highlight the importance of strict role separation and least-privilege design in security tooling—especially for remotely managed endpoint/host protection systems.
TWCERT/CC states affected versions are ThreatSonar Anti-Ransomware prior to 4.0.0 and recommends applying the patch identified as version 20260302. No additional exploitation details or in-the-wild activity are described in the advisory.
Event Type: security
Importance: high
Affected Companies
- TWCERT/CC (台灣電腦網路危機處理暨協調中心)
- TeamT5 (杜浦數位安全)
- ThreatSonar Anti-Ransomware
Affected Sectors
- Cybersecurity
- Endpoint security
- IT operations
Key Numbers
- Affected versions: ThreatSonar Anti-Ransomware < 4.0.0
- CVE-2026-5966 CVSS v3.1: 8.1 (High)
- CVE-2026-5967 CVSS v3.1: 8.8 (High)
- Recommended patch: 20260302
Timeline
- TWCERT/CC publishes TVN-202604007 disclosing CVE-2026-5966 and CVE-2026-5967 for ThreatSonar Anti-Ransomware.