A critical remote code execution vulnerability exists in Gila CMS versions prior to 2.0.0, allowing unauthenticated attackers to gain complete control of the server. By sending a specially crafted web request with malicious code in the HTTP User-Agent header, an attacker can execute arbitrary commands on the system. This can lead to a full system compromise, data theft, and deployment of malware.

The vulnerability is a Remote Code Execution (RCE) flaw that allows an unauthenticated attacker to inject and execute arbitrary PHP code. The flaw exists in how the application processes HTTP headers, specifically the User-Agent header, for requests sent to the admin endpoint. An attacker can craft a request where the User-Agent header contains a malicious PHP payload (e.g., utilizing shell_exec()). When the Gila CMS application logs or processes this header, it improperly executes the embedded PHP code, leading to the execution of system commands with the privileges of the web server process.

This vulnerability is rated as critical with a CVSS score of 9.8, representing a severe risk to the organization. A successful exploit grants an attacker complete control over the affected web server, which can lead to theft of sensitive data, website defacement, service disruption, or the installation of ransomware. The compromised server could also be used as a foothold to launch further attacks against the internal network, escalating the incident's impact. This poses a significant threat to business operations, data confidentiality, and organizational reputation.

Immediate Action: The primary remediation is to immediately upgrade all instances of Gila CMS to version 2.0.0 or the latest available version. After patching, it is critical to review web server access logs for any signs of prior exploitation, such as unusual requests to the admin endpoint or suspicious User-Agent strings.

Proactive Monitoring: Implement continuous monitoring of web server access logs, specifically looking for requests with malicious-looking User-Agent strings containing PHP functions like shell_exec(), system(), passthru(), or eval(). Monitor for unexpected outbound network connections from the web server and use file integrity monitoring (FIM) to detect unauthorized changes to application files.

Compensating Controls: If patching is not immediately possible, deploy a Web Application Firewall (WAF) with rules to inspect and block malicious payloads within HTTP headers. Restrict access to the Gila CMS admin endpoint (/admin) to trusted IP addresses only. Ensure the web server process runs with the least privilege necessary to limit the potential impact of a compromise.

Public Exploit Available: True

Given the critical severity (CVSS 9.8) of this unauthenticated remote code execution vulnerability and the public availability of exploit code, immediate action is imperative. Organizations must prioritize patching all vulnerable Gila CMS instances to version 2.0.0 or later without delay. Due to the high likelihood of automated scanning and exploitation, all internet-facing installations should be considered compromised until patched and thoroughly investigated for indicators of compromise.