CVE-2022-23851
Netaxis · API Orchestrator (APIO)
Netaxis API Orchestrator (APIO) versions prior to 0.19.3 are vulnerable to Server-Side Template Injection (SSTI), potentially allowing remote code execution.
Executive summary
A critical Server-Side Template Injection vulnerability in Netaxis API Orchestrator enables unauthenticated attackers to execute arbitrary code on the underlying host.
Vulnerability
The application is susceptible to Server-Side Template Injection (SSTI), which occurs when user-supplied input is improperly embedded into a template engine. This flaw allows an unauthenticated attacker to manipulate the template logic to execute system-level commands.
Business impact
With a CVSS score of 9.8, this vulnerability represents a critical risk to organizational infrastructure. Successful exploitation could lead to full system compromise, unauthorized data access, and the potential for lateral movement within the network, resulting in significant operational downtime and reputational damage.
Remediation
Immediate Action: Upgrade Netaxis API Orchestrator to version 0.19.3 or later to patch the underlying template injection flaw.
Proactive Monitoring: Inspect application logs for unusual template syntax or serialized objects in request parameters indicative of injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block common template injection payloads.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the critical CVSS severity, immediate action is required to secure affected instances. Administrators should prioritize patching the software to the latest version to eliminate the SSTI vector and prevent unauthorized remote command execution.