A high-severity vulnerability has been identified in multiple products from The, assigned CVE-2023-49565. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on affected systems, potentially leading to a complete system compromise, data theft, and service disruption. Organizations are urged to apply vendor patches immediately to mitigate this critical risk.

The vulnerability exists within the cbis_manager Podman container component. A flaw in the /api/plugins endpoint fails to properly sanitize user-supplied input, allowing an unauthenticated remote attacker to send a specially crafted request containing malicious commands. The application processes this request and executes the embedded commands with the privileges of the container, resulting in remote command execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation could grant an attacker complete control over the affected container, leading to significant business consequences. These include the theft or modification of sensitive data, disruption of critical services hosted by the application, and the potential for the attacker to pivot to other systems within the network. A compromise could result in severe financial loss, regulatory penalties, and reputational damage.

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately. After patching, review historical access logs for the /api/plugins endpoint to identify any suspicious activity or potential signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Implement enhanced monitoring focused on the cbis_manager container and its network traffic. Specifically, monitor web server and application logs for unusual or malformed requests to the /api/plugins endpoint. Watch for unexpected outbound network connections from the container, which could indicate a reverse shell, and monitor for abnormal process execution or CPU/memory usage within the container.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to the vulnerable /api/plugins endpoint using a firewall, reverse proxy, or network segmentation, allowing connections only from trusted IP addresses.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block RCE attempts targeting this specific endpoint.
• If the plugin functionality is not essential for business operations, consider disabling it entirely as a temporary measure.

Public Exploit Available: false

Given the critical risk of remote command execution and the high CVSS score of 8.4, we strongly recommend that all organizations using the affected products apply the vendor-supplied patches on an emergency basis. Although this vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its severity warrants immediate attention to prevent potential exploitation. If patching is delayed, implement the suggested compensating controls and heighten monitoring for any indicators of compromise.