Executive Summary
A critical unauthenticated arbitrary file write vulnerability — CVE-2026-57898 — has been disclosed in the Eclipse BaSyx Java Server SDK, a widely used platform for Industry 4.0 / IIoT (Industrial Internet of Things) deployments implementing the Asset Administration Shell (AAS) standard.
CVSS Score: 9.0 (Critical)
The flaw exists in the AAS thumbnail upload API, which accepts a client-controlled fileName request parameter. Deployments using the MongoDB backend are vulnerable to an unauthenticated attacker writing arbitrary files to the server filesystem, potentially leading to remote code execution.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-57898 |
| CVSS Score | 9.0 (Critical) |
| Type | Unauthenticated Arbitrary File Write |
| Component | AAS Thumbnail Upload API |
| Backend | MongoDB |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Affected SDK Versions | 2.0.0-milestone-05 to 2.0.0-milestone-12 |
Background: Eclipse BaSyx and AAS
The Eclipse BaSyx project is an open-source middleware platform implementing the Asset Administration Shell (AAS) specification from the Industrial Digital Twin Association (IDTA). AAS is a key concept in Industry 4.0, providing a standardized digital representation of physical industrial assets — machines, components, factories — enabling interoperability across the industrial supply chain.
BaSyx is deployed across:
- Smart manufacturing environments
- Industrial automation systems
- Digital twin infrastructure
- Supply chain management platforms
- Factory floor OT/IT convergence systems
The Java Server SDK provides the backend services for hosting and managing AAS repositories. The MongoDB backend variant stores AAS data in MongoDB rather than in-memory or on-disk.
Affected Versions
| Component | Affected Versions | Backend |
|---|---|---|
| Eclipse BaSyx Java Server SDK | 2.0.0-milestone-05 to 2.0.0-milestone-12 | MongoDB only |
Vulnerability Details
The AAS specification includes support for thumbnail images associated with Asset Administration Shells. The BaSyx SDK exposes an HTTP API endpoint for uploading these thumbnails.
In the vulnerable versions, the thumbnail upload path accepts a fileName request parameter that is entirely controlled by the client. The SDK fails to sanitize or validate this parameter, allowing:
- Path traversal — using
../sequences to write outside the intended upload directory - Arbitrary filename — specifying any file extension, including executable types
- No authentication check — the upload endpoint can be accessed without credentials
POST /shells/{aasId}/asset-information/thumbnail?fileName=../../webroot/shell.jsp
Content-Type: image/jpeg
[malicious JSP payload content]Attack Scenario
1. Attacker discovers internet-exposed BaSyx SDK instance (MongoDB backend)
2. Attacker crafts HTTP POST to AAS thumbnail upload endpoint
3. Malicious fileName parameter contains path traversal: ../../deploy/shell.war
4. SDK writes attacker-controlled content to arbitrary server path
5. Attacker accesses uploaded file via web server / application server
6. Remote code execution achieved on industrial control system host
7. Potential lateral movement into OT network or connected factory systemsImpact in Industrial Environments
| Impact | Description |
|---|---|
| Remote Code Execution | Write and execute malicious code on the BaSyx server |
| OT Network Pivot | Use compromised server to reach operational technology systems |
| AAS Data Tampering | Modify digital twin data, falsifying asset information |
| Supply Chain Disruption | Corrupt or destroy AAS repository data |
| Industrial Espionage | Exfiltrate proprietary asset configuration data |
| Ransomware Deployment | Stage ransomware for industrial systems |
Immediate Remediation
Step 1: Upgrade the SDK
Update to a patched version beyond 2.0.0-milestone-12. Check the Eclipse BaSyx releases page for the latest patched release.
<!-- Maven — update your pom.xml -->
<dependency>
<groupId>org.eclipse.digitaltwin.basyx</groupId>
<artifactId>basyx.aasrepository-backend-mongodb</artifactId>
<version><!-- use patched version --></version>
</dependency>// Gradle — update build.gradle
implementation 'org.eclipse.digitaltwin.basyx:basyx.aasrepository-backend-mongodb:<patched-version>'Step 2: Restrict API Access Immediately
If you cannot patch immediately, restrict access to the thumbnail upload endpoint:
# Nginx — block thumbnail upload endpoint from unauthorized sources
location ~ /asset-information/thumbnail {
# Deny external access
deny all;
# Or restrict to internal IPs only
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}# WAF rule — block path traversal in fileName parameter
# (ModSecurity / similar)
SecRule ARGS:fileName "@contains ../" \
"id:1001,phase:2,block,msg:'Path traversal in BaSyx fileName parameter'"Step 3: Add Authentication Layer
Deploy an authentication proxy in front of BaSyx API endpoints:
# Example: Traefik middleware for BaSyx
http:
middlewares:
basyx-auth:
basicAuth:
users:
- "admin:$2y$05$..."
routers:
basyx:
rule: "Host(`basyx.internal`)"
middlewares:
- basyx-authStep 4: Scan for Existing Compromise
# Search for recently created files in BaSyx directories
find /opt/basyx -newer /opt/basyx/README.md -type f -not -name "*.log"
# Look for suspicious file extensions in upload directories
find /opt/basyx -name "*.jsp" -o -name "*.war" -o -name "*.sh" | grep -v ".git"
# Check for unexpected outbound connections from BaSyx host
ss -tnp | grep java | awk '{print $5}'Detection Indicators
| Indicator | Description |
|---|---|
POST requests with fileName=../ | Path traversal exploitation attempts |
| Files with executable extensions in upload paths | Webshells or backdoors written via the vulnerability |
| Unexpected JAR/WAR files in deploy directories | Malicious application packages deployed |
| Outbound connections from BaSyx process | Post-exploitation C2 communication |
| MongoDB queries writing to unusual collections | Attacker manipulating AAS data store |
Post-Remediation Steps
- Verify SDK version is beyond milestone-12
- Audit all files in BaSyx working directories for unexpected content
- Rotate credentials — MongoDB connection strings, API keys, service accounts
- Review MongoDB access logs for unauthorized operations
- Implement authentication on all BaSyx API endpoints
- Network segment the BaSyx server — it should not be internet-facing
- Monitor for lateral movement from the BaSyx host into OT systems
- File integrity monitoring on BaSyx directories
References
- NIST NVD — CVE-2026-57898
- Eclipse BaSyx GitHub Repository
- Industrial Digital Twin Association — AAS Specification