There has recently been an exploit reported to CSGO server admins. In our attempts to keep our players safe, we have disabled the upload of new in-game sprays.
This is the message sent to server admins:
Headsup admins/owners. Might want to disable custom files till valve addresses this issue brought to their attention a month ago.
There is an exploit where any client with minor skill can inject custom files with all types of malicious code. From hacks in weapon skins, to ransomware in custom .bsp, to remote backdoors in custom spray paints.
The exploit is injecting code into any image, sound, or data file. You can take weapon skins (csgo), sound files, spray paint image files, even .bsp/etc. and inject hack code, or actual ransomware, viruses, or Trojans/rootkits directly into a server cache, or client cache via the custom file.
Might want to disable custom files till valve decides to correct this issue.