A critical remote code execution vulnerability has been identified in Tea LaTex Multiple Products. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server by sending a specially crafted request, potentially leading to a complete system compromise, data theft, and service disruption.

The vulnerability exists within the /api.php endpoint, specifically in the tex2png API action. The application fails to properly sanitize user-supplied input before processing it with the LaTeX engine. An unauthenticated remote attacker can submit a malicious LaTeX payload containing embedded shell commands (e.g., using \write18{command}). When the server processes this payload to generate an image, it also executes the embedded shell commands with the privileges of the web server process, leading to remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected server. Potential consequences include theft or modification of sensitive data, installation of malware or ransomware, disruption of critical services hosted on the server, and using the compromised system as a pivot point to attack other internal network resources. The unauthenticated nature of this vulnerability significantly increases the risk, as any attacker with network access to the application can attempt exploitation, posing a severe threat to data confidentiality, integrity, and availability.

Immediate Action:

• Immediately apply the security patches provided by the vendor. Update all instances of Tea LaTex Multiple Products to the latest, non-vulnerable version.
• After patching, review server access logs and application logs for any signs of exploitation attempts targeting the /api.php endpoint.

Proactive Monitoring:

• Monitor web server logs for suspicious POST requests to /api.php, specifically looking for payloads containing LaTeX commands associated with shell execution like \write18, \input, or \include.
• Implement system-level monitoring to detect anomalous processes being spawned by the web server user (e.g., sh, bash, powershell, curl, wget).
• Monitor network traffic for unexpected outbound connections from the server, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules to block requests containing malicious LaTeX syntax targeting the /api.php endpoint.
• Restrict network access to the /api.php endpoint, allowing connections only from trusted IP addresses. If the endpoint is not required for business operations, consider disabling it entirely.
• Run the Tea LaTex application in a sandboxed or containerized environment with minimal privileges to limit the impact of a potential compromise.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the availability of a public exploit, immediate action is required. All organizations using the affected Tea LaTex products must prioritize applying the vendor-supplied patches without delay. Due to the risk of a full system compromise, it is also strongly recommended to hunt for evidence of past exploitation by reviewing logs for the indicators mentioned in the Proactive Monitoring section. Implementing compensating controls like WAF rules and network segmentation should be considered a critical defense-in-depth measure, even after patching is complete.