A critical remote code execution vulnerability exists in phpPgAdmin, a web-based administration tool for PostgreSQL. This flaw allows an unauthenticated attacker to take complete control of the server hosting the application by sending a specially crafted request. Successful exploitation could lead to a full system compromise, resulting in significant data breaches, service disruption, and unauthorized access to the internal network.

This vulnerability is an unauthenticated PHP Object Instantiation flaw that leads to remote code execution. The weakness resides in the redirect.php script, which insecurely deserializes user-provided data from the $_COOKIE['PHP_SELF'] variable without proper validation. An attacker can craft a malicious serialized PHP object, place it in this cookie, and send it to the server. When the application processes this cookie, the unserialize() function triggers the malicious object, allowing the attacker to execute arbitrary commands on the underlying server with the permissions of the web server process.

This is a high-severity vulnerability with a CVSS score of 8.8. Exploitation by an unauthenticated attacker can have severe consequences for the business. A successful attack grants the adversary complete control over the web server, leading to potential data theft of sensitive information stored in the PostgreSQL databases. The compromised server could also be used as a pivot point to launch further attacks against the internal network, disrupt critical business operations, or be leveraged in botnet activities. A public breach resulting from this vulnerability could cause significant reputational damage and potential regulatory fines.

Immediate Action: The primary and most effective remediation is to upgrade all instances of phpPgAdmin to version 7.14.1 or later, which contains the vendor-supplied patch for this vulnerability. After patching, review web server access logs for any signs of prior exploitation attempts, such as unusual requests to redirect.php.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for requests to redirect.php containing unusually large or suspicious-looking PHP_SELF cookie values.
• Network Traffic: Monitor for anomalous outbound connections from the phpPgAdmin server, which could indicate a reverse shell or data exfiltration.
• File Integrity Monitoring: Implement file integrity monitoring on the web server to detect the creation of unexpected files (e.g., web shells) in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Access Control: Restrict network access to the phpPgAdmin interface to a limited set of trusted IP addresses, such as an internal administrative network. The interface should never be exposed to the public internet.
• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block serialized PHP objects within HTTP cookies.
• Decommissioning: If phpPgAdmin is not essential for operations, consider disabling or uninstalling it to eliminate the attack surface entirely.

Public Exploit Available: true

Given the high severity (CVSS 8.8), the unauthenticated nature of the exploit, and the widespread availability of public exploit code, this vulnerability poses a critical risk to the organization. Immediate patching is the highest priority. All organizations must assume they are a target and should immediately identify and upgrade all vulnerable instances of phpPgAdmin. While this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for opportunistic and targeted attacks. If patching is delayed for any reason, compensating controls such as strict network access restrictions must be implemented without delay.