CVE-2026-5965: NewSoftOA Critical OS Command Injection (CVSS 9.8)

CVE-2026-5965: NewSoftOA Critical OS Command Injection

A critical OS command injection vulnerability has been disclosed in NewSoftOA, a product developed by NewSoft. Tracked as CVE-2026-5965 with a CVSS score of 9.8 (Critical), the flaw allows unauthenticated local attackers to inject arbitrary OS commands and have them executed with the privileges of the server process.

Vulnerability Overview

Technical Description

The vulnerability exists in NewSoftOA, an office automation product by NewSoft. The flaw is classified as OS Command Injection (CWE-78), meaning user-supplied input is passed to a system shell invocation without adequate sanitization or escaping.

An unauthenticated local attacker can exploit this by supplying crafted input containing shell metacharacters (e.g., ;, |, &&), causing the application to run attacker-controlled commands on the underlying OS. Because no authentication is required to reach the vulnerable code path, the attack barrier is extremely low.

Attack Chain (Conceptual)

1. Attacker identifies the vulnerable input field in NewSoftOA
2. Supplies malicious input with shell metacharacters:
     field=legitimate_value; ATTACKER_COMMAND
3. NewSoftOA passes the unsanitized value to an OS shell call
4. The OS runs both the intended operation and the injected payload
5. Attacker achieves arbitrary code execution at the service's privilege level

If NewSoftOA runs as a privileged system account, the attacker gains full system control through this single vulnerability.

Impact Assessment

The CVSS score of 9.8 reflects near-maximum severity: no authentication needed, no user interaction, and full C/I/A compromise.

Affected Products

Organizations running NewSoftOA should treat this as a high-priority remediation item until a vendor patch is confirmed and deployed.

Remediation Guidance

Immediate Actions

1. Identify all instances of NewSoftOA across your environment, especially those on shared workstations or accessible from internal networks.
2. Restrict access to the application to authorized users only; limit network exposure where possible.
3. Apply vendor patch — contact NewSoft for an updated release that addresses CVE-2026-5965 and apply immediately upon release.
4. Least privilege — ensure the NewSoftOA service account has only the minimum OS permissions required to operate, limiting blast radius.
5. Monitor for anomalies — watch for unexpected process creation events, unusual outbound network connections, or new files appearing in temp or startup directories on hosts running NewSoftOA.

Detection Indicators

Security teams should monitor for:

• Unexpected child processes spawned from the NewSoftOA process (Windows Event ID 4688 or Linux audit logs)
• Unusual outbound network connections originating from the NewSoftOA host
• New files appearing in temp directories, startup folders, or scheduled task definitions on affected systems
• Privilege escalation events triggered from the NewSoftOA service account

Key Takeaways

1. CVE-2026-5965 is a CVSS 9.8 Critical OS command injection in NewSoftOA requiring no authentication to exploit
2. Immediate exposure assessment is critical — locate all NewSoftOA deployments in your organization
3. Restrict access and enforce least-privilege service accounts while awaiting a vendor patch
4. Monitor process, file system, and network activity from affected hosts
5. Patch immediately once NewSoft releases a fixed version

Sources

• CVE-2026-5965 — NIST NVD