CVE-2026-22235 OPEXUS CVE debrief

Who should care

Organizations using OPEXUS eComplaint before version 9.0.45.0 should be aware of this vulnerability and take necessary steps to upgrade to the latest version. Additionally, security teams and administrators responsible for OPEXUS eComplaint should prioritize patching this vulnerability to prevent potential exploitation.

Technical summary

The vulnerability exists in the OPEXUS eComplaint application, specifically in the 'DocumentOpen.aspx' endpoint. An attacker can exploit this vulnerability by iterating through predictable values of 'chargeNumber' to download any uploaded files. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

High priority should be given to patching this vulnerability, as it allows an attacker to download any uploaded files. Organizations should upgrade to version 9.0.45.0 or later to fix this vulnerability.

Recommended defensive actions

• Upgrade OPEXUS eComplaint to version 9.0.45.0 or later
• Review and update access controls for the 'DocumentOpen.aspx' endpoint
• Monitor for suspicious activity related to the 'chargeNumber' parameter
• Implement additional security measures to protect against IDOR vulnerabilities

Evidence notes

The vulnerability is documented in the CISA CSAF file and the CVE record on CVE.org. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.

Official resources