A critical, unauthenticated vulnerability exists in phpKF CMS, allowing remote attackers to bypass security checks and upload malicious files. Successful exploitation enables an attacker to execute arbitrary code, leading to a complete compromise of the affected web server, potential data theft, and service disruption.

The vulnerability is an unauthenticated file upload bypass within the phpKF CMS software. The application fails to properly validate the true file type during the upload process, relying on insufficient checks like file extension. An unauthenticated remote attacker can craft a malicious PHP script, disguise it with a permitted extension like .png, and upload it to the server. Subsequently, the attacker can rename the file to a .php extension and access it directly via a web browser, executing the embedded code and gaining full control over the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation requires no authentication or user interaction, making it a significant threat to any internet-facing system running the affected software. A successful attack can lead to a complete system compromise, resulting in the theft of sensitive data (e.g., customer information, intellectual property), website defacement, service outages, and reputational damage. The compromised server could also be used as a staging point to launch further attacks against the internal network, escalating the overall security risk to the organization.

Immediate Action: Update phpKF CMS Multiple Products to the latest version as recommended by the vendor. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review web server access logs for indicators of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for suspicious POST requests to file upload endpoints, especially those with unusual user agents or originating from unexpected IP addresses. Look for file rename events followed by GET or POST requests to newly created .php files in upload directories.
• File Integrity Monitoring (FIM): Implement FIM on web directories to detect the creation of unauthorized files, particularly executable scripts (e.g., .php, .phtml).
• Network Traffic: Monitor for anomalous outbound connections from the web server, which could indicate a reverse shell or data exfiltration channel established by an attacker.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to inspect file uploads, validate file types based on content (magic bytes) rather than extensions, and block malicious payloads.
• Disable Script Execution: Configure the web server to explicitly deny the execution of scripts (like PHP) within the file upload directory.
• Restrict Access: If the file upload functionality is not essential, disable it entirely until the system can be patched.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the availability of public exploits, this vulnerability poses an immediate and severe risk to the organization. The highest priority is to apply the vendor-supplied patches to all affected phpKF CMS instances without delay. For any unpatched, internet-facing systems, we recommend assuming they are compromised and initiating incident response procedures to hunt for evidence of malicious activity. The lack of a CISA KEV listing should not diminish the urgency; the unauthenticated nature of this remote code execution flaw warrants immediate attention and remediation.