A critical vulnerability has been identified in UliCMS, designated CVE-2023-53923, with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to create a new administrative account by sending a specially crafted request to the web server. Successful exploitation results in a complete compromise of the affected UliCMS application, granting the attacker full administrative control.

This is a privilege escalation vulnerability within the UserController component of UliCMS. The vulnerability exists because the user creation endpoint at /dist/admin/index.php fails to perform proper authentication and authorization checks. An unauthenticated attacker can craft a malicious POST request containing specific parameters to trigger the new user creation function, specifying the user role as 'administrator'. This bypasses all security controls and directly creates a new, fully privileged administrative account on the system.

The business impact of this vulnerability is critical, reflected by its CVSS score of 9.8. An attacker who successfully exploits this flaw gains complete administrative access to the UliCMS application. This can lead to severe consequences, including theft and exfiltration of sensitive data (customer information, intellectual property), unauthorized modification or deletion of website content, website defacement causing reputational damage, and using the compromised server as a platform for launching further attacks against the organization's internal network or other external targets.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Organizations must immediately update UliCMS Multiple Products to the latest version. Before or after patching, administrators should audit all user accounts, especially those with administrative privileges, to identify and remove any unauthorized accounts that may have been created.

Proactive Monitoring: System administrators should actively monitor web server access logs for any suspicious POST requests to the /dist/admin/index.php endpoint, particularly from untrusted or unexpected IP addresses. Implement alerts for the creation of new user accounts, especially those with elevated privileges. File integrity monitoring can also help detect unauthorized changes to the application's core files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or alert on POST requests to the /dist/admin/index.php endpoint. Additionally, restrict access to the /dist/admin/ directory at the web server level, allowing connections only from trusted IP addresses.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the potential for a complete system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches without delay. While this vulnerability is not currently on the CISA KEV list, its high impact and ease of exploitation warrant an emergency patching cycle. Following the update, a thorough audit for unauthorized administrative accounts is crucial to ensure the system was not compromised prior to remediation.