A critical remote code execution vulnerability exists in Cobian Backup Gravity 11, which could allow an unauthenticated attacker to take full control of the backup server over the network. Successful exploitation could lead to the theft or destruction of sensitive backup data, deployment of ransomware, and further compromise of the internal network.

This vulnerability is an unauthenticated remote code execution (RCE) due to improper input sanitization in the product's web interface. An unauthenticated remote attacker can send a specially crafted HTTP POST request to the /users endpoint. The username parameter within this request is not validated correctly and is passed directly to a system command, allowing for command injection. By embedding malicious commands within the username parameter, an attacker can execute arbitrary code on the server with the privileges of the Cobian Backup service.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation would grant an attacker complete control over the backup server, which presents a significant risk to the organization. Potential consequences include the compromise, exfiltration, or deletion of all backup data, rendering disaster recovery plans ineffective. The compromised server could also be used as a staging point to launch further attacks against the internal network, leading to a wider system breach, deployment of ransomware, and significant operational disruption.

Immediate Action: Apply vendor security updates immediately to all vulnerable instances of Cobian Backup. After patching, review web server and system access logs for any signs of exploitation attempts that may have occurred prior to the update, such as unusual POST requests to the /users endpoint.

Proactive Monitoring:

• Log Analysis: Monitor web server logs for the Cobian Backup interface (default port 8080) for suspicious POST requests to /users containing command-line syntax or special characters in the username field.
• Network Monitoring: Monitor network traffic to the backup server's web interface port for connections from untrusted IP addresses or unusual traffic patterns.
• Endpoint Detection: Monitor the backup server for anomalous process execution, such as cmd.exe or powershell.exe being spawned by the Cobian Backup service, or unexpected outbound network connections.

Compensating Controls:

• If patching is not immediately possible, restrict network access to the Cobian Backup web interface (default port 8080) using a firewall. Access should be limited strictly to trusted administrative hosts.
• If the web interface is not essential for operations, consider disabling it to completely remove the attack surface.
• Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking command injection attacks.

Public Exploit Available: true

Given the high severity (CVSS 8.4), the unauthenticated nature of the exploit, and the public availability of PoC code, this vulnerability poses a critical and immediate threat. The organization must prioritize the immediate application of vendor-supplied security patches to all affected Cobian Backup instances. If patching cannot be performed immediately, implement compensating controls, such as firewall restrictions, to limit the attack surface until patches can be deployed. Due to the high likelihood of exploitation, a retroactive threat hunt for indicators of compromise is strongly recommended.