Overview
CVE-2026-6885 is a critical arbitrary file upload vulnerability discovered in Borg SPM 2007, a sales performance management application developed by BorG Technology Corporation that reached end-of-sale in 2008. The vulnerability allows completely unauthenticated remote attackers to upload malicious files — including PHP web shell backdoors — directly to the server, enabling arbitrary code execution with the privileges of the web server process.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6885 |
| CVSS Score | 9.8 (Critical) |
| Vendor | BorG Technology Corporation |
| Product | Borg SPM 2007 |
| EOL Date | 2008 (sales ended) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-23 |
Technical Details
The vulnerability exists in the file upload functionality of Borg SPM 2007. The application fails to validate uploaded file types, extensions, or content — meaning an attacker can upload a PHP (or other server-side scripting) file disguised or openly submitted through the upload endpoint without any authentication step.
Once a malicious script file is successfully uploaded to a web-accessible directory, the attacker can trigger execution by navigating to the uploaded file's URL, resulting in full remote code execution (RCE) on the underlying server. This is one of the most severe vulnerability classes, as it combines pre-authentication access with the ability to run arbitrary operating system commands.
Attack Flow
- Attacker identifies an exposed Borg SPM 2007 instance (no login required)
- Attacker crafts a request to the file upload endpoint with a malicious PHP web shell payload
- The server accepts and stores the file without validation
- Attacker navigates to the uploaded file URL to trigger the shell
- Full OS-level command execution achieved under web server context
Risk Assessment
Despite being software that has been end-of-life for nearly two decades, legacy applications remain in production environments far longer than vendors intend. The combination of no authentication requirement and direct code execution earns this vulnerability the maximum practical exploitability score.
Any organization still running Borg SPM 2007 should treat this as an emergency — the software has received no security patches since 2008 and no remediation is expected from the vendor.
Remediation
No patch is available or expected. BorG Technology Corporation ended sales of this product in 2008, and no active maintenance exists.
Recommended actions:
- Immediately decommission any remaining Borg SPM 2007 instances
- If decommissioning is not immediately possible, block all network access to the application at the firewall or network layer
- Migrate to a supported, actively maintained sales performance management solution
- Conduct a forensic review of any exposed systems for signs of prior compromise
- Implement web application firewall (WAF) rules to block file upload attempts as a temporary control