Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems

A recent vulnerability note issued by CERT/CC disclosured three critical security flaws in Partner Software’s flagship platforms—Partner Software and Partner Web. These applications are widely used by municipalities, state governments, and contractors for field operations, including GIS mapping and job reporting. Left unpatched, these vulnerabilities could allow attackers to perform stored XSS, arbitrary file uploads, and remote code execution (RCE).

“Partner Software and Partner Web, both products of their namesake company, fail to sanitize report or note files, allowing for XSS attacks,” the note warns.

The first flaw, tracked as CVE-2025-6076, involves improper validation of uploaded files within the Reports tab. Because the system fails to restrict file extensions, authenticated users can upload malicious files that are stored directly on the server.

“An authenticated attacker can upload a malicious file that will be stored on the victim server,” CERT explains.

The second flaw, tracked as CVE-2025-6077, is even more alarming: every version of Partner Web ships with the same default admin username and password. If not changed, this gives any attacker with access to the application a fast lane to full system compromise.

“The Partner Web product also ships with the same default administrator username and password across versions,” CERT highlights.

Lastly, the Notes section in the Job view is vulnerable to stored XSS (CVE-2025-6078). The application allows insertion of unsanitized HTML and JavaScript into job notes.

“An attacker… could add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting),” the advisory explains.

Partner Software products are primarily deployed in:

• Local and state government field services
• Utility companies and infrastructure mapping
• Private contractors managing fieldwork via GIS interfaces

Given the nature of the environments where these tools are deployed, compromise of these systems could lead to the manipulation of critical field data or unauthorized remote access to servers in sensitive sectors.

Partner Software has released a critical patch in version 4.32.2, which addresses all three vulnerabilities:

• Default admin and edit users have been removed
• Notes input is now fully sanitized and restricted to plain text
• File uploads are limited to safe extensions (.csv, .jpg, .png, .txt, .doc, .pdf) and are read-only

Related Posts:

• AMD push security update to patch 13 security vulnerabilities
• PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory