Vulnerability Summary: Borg SPM 2007 Security Vulnerabilities Overview The SPM 2007 software from Borg Technology Corporation contains three critical security vulnerabilities that allow unauthorized attackers to execute arbitrary code, bypass authentication, or inject SQL commands. CVE-2026-6885: Arbitrary File Upload Vulnerability - Unauthorized attackers can upload and execute a web shell backdoor, achieving arbitrary code execution. - CVSS Score: 9.8 (Critical) CVE-2026-6886: Authentication Bypass Vulnerability - Unauthorized attackers can log into the system and impersonate any user. - CVSS Score: 9.8 (Critical) CVE-2026-6887: SQL Injection Vulnerability - Unauthorized attackers can inject arbitrary SQL commands to read, modify, or delete database content. - CVSS Score: 9.8 (Critical) Impact Scope Affected Product: Borg SPM 2007 (sales ended in 2008) CVSS Vectors: - CVE-2026-6885: - CVE-2026-6886: - CVE-2026-6887: Remediation Customers with valid maintenance contracts are advised to contact the vendor for patch remediation. Alternatively, upgrade to the latest version: SPM2025 SP1 (has passed source code security audit). Additional Information TVN ID: TVN-202604009 Release Date: 2026-04-23 Contributor: Xin Yu Lin (DEVCORE) > Note: No POC or exploit code is provided on the page.