A critical remote code execution vulnerability exists in SitemagicCMS, identified as CVE-2023-53921 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload a malicious file, leading to a complete compromise of the web server. Successful exploitation could result in data theft, service disruption, and the ability for an attacker to execute arbitrary commands on the affected system.

This vulnerability is a file upload bypass that leads to remote code execution (RCE). An attacker can exploit insufficient validation in the file upload functionality to upload a PHP Archive (.phar) file containing a malicious payload, such as a web shell. The application incorrectly allows this file to be saved in a web-accessible directory (files/images). By subsequently accessing the URL of the uploaded file, the attacker can trigger the execution of the embedded PHP code, granting them the ability to run arbitrary system commands with the privileges of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing an extreme risk to the organization. A successful attack could lead to a complete system compromise, enabling an attacker to exfiltrate sensitive data, including customer information and intellectual property. Further impacts include website defacement, complete service disruption, significant reputational damage, and financial loss. The compromised server could also be used as a pivot point to launch further attacks against the internal network or be co-opted into a botnet.

Immediate Action:

• Immediately upgrade all instances of SitemagicCMS to the latest patched version as recommended by the vendor.
• Consult the official vendor security advisory for specific patch information and detailed upgrade instructions.
• Begin monitoring for signs of compromise by reviewing web server access logs for suspicious file uploads (e.g., .phar extensions) or unusual requests to the /files/images/ directory.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for POST requests to file upload endpoints followed by GET requests to files with extensions like .phar, .phtml, or other PHP variants in unexpected locations. Look for evidence of command execution in system logs, such as whoami, wget, or curl commands initiated by the web server process.
• File Integrity Monitoring (FIM): Implement FIM to alert on the creation of new, unauthorized files in web directories, particularly the files/images directory.
• Network Traffic Analysis: Monitor for anomalous outbound connections from the web server, which could indicate a reverse shell or data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block the upload of executable file types and suspicious file names.
• Disable PHP execution within the files/images directory and any other user-writable directories. This can often be configured in the web server (e.g., via an .htaccess file for Apache).
• Restrict file upload functionality to authenticated and trusted users only.
• Run the web server process with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: True

Due to the critical severity (CVSS 9.8) and the availability of a public exploit, this vulnerability presents an immediate and severe threat to the organization. We strongly recommend that all vulnerable SitemagicCMS instances be patched immediately without delay. If patching cannot be performed right away, the compensating controls listed above must be implemented as a matter of urgency. Organizations should operate under the assumption of compromise and actively hunt for indicators of malicious activity on any server running a vulnerable version.