A critical SQL Injection vulnerability has been identified in Koken CMS, which allows an unauthenticated remote attacker to execute arbitrary commands on the website's database. Successful exploitation could lead to a complete compromise of the application, resulting in sensitive data theft, website defacement, or unauthorized administrative access.

This vulnerability is a SQL Injection flaw within the admin/api.php component of the Koken CMS. An unauthenticated attacker can send a specially crafted HTTP request to this endpoint, injecting malicious SQL queries through the id parameter. This allows the attacker to bypass security controls and directly interact with the underlying database, enabling them to read, modify, or delete data, including user credentials and website content.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could have severe consequences for the business, including a significant data breach of sensitive customer or internal information. Attackers could deface the public-facing website, causing substantial reputational damage and loss of customer trust. Furthermore, by extracting administrator credentials from the database, an attacker could gain full control over the CMS, potentially using it as a pivot point to launch further attacks against the internal network.

Immediate Action: Apply vendor security updates immediately to all affected Koken CMS instances. After patching, it is critical to monitor for any ongoing or recent exploitation attempts by thoroughly reviewing web server and application access logs for indicators of compromise.

Proactive Monitoring: Security teams should configure monitoring to alert on suspicious requests targeting the /admin/api.php endpoint. Specifically, look for malformed or complex SQL syntax within the id parameter of GET or POST requests. Monitor for unusual database activity, such as a high volume of queries from the web server or connections from unexpected sources.

Compensating Controls: If immediate patching is not possible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL Injection attack patterns. Additionally, restrict administrative access to the Koken CMS to trusted IP addresses only and ensure the database user account has the minimum necessary privileges to function, preventing it from accessing or modifying critical system tables.

Public Exploit Available: true

Given the high severity score (CVSS 8.8) and the confirmed availability of public exploit code, this vulnerability presents a critical and immediate threat to the organization. All instances of Koken CMS must be identified and patched without delay. Although this vulnerability is not listed on the CISA KEV catalog, the ease of exploitation makes it a prime target for attackers. We strongly recommend prioritizing the remediation of this flaw and subsequently performing a compromise assessment to search for evidence of prior exploitation.