A critical vulnerability has been discovered in Glutton V1 service endpoints that allows for unauthenticated access. This flaw could permit any user with network access to the affected services to read, modify, or delete sensitive data without requiring any credentials, posing a significant risk to data confidentiality, integrity, and availability.

The Glutton V1 service endpoints on Gotham stacks were improperly configured, lacking any authentication mechanism. This allows a remote, unauthenticated attacker to send direct API requests to the Glutton backend. By crafting simple HTTP requests (e.g., GET, POST, PUT, DELETE), an attacker can perform arbitrary data manipulation, including reading sensitive information, modifying existing records, or deleting data entirely, leading to a complete compromise of the data managed by the service.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could lead to severe business consequences, including a major data breach, loss of data integrity, and potential service disruption. Unauthorized access to and modification of backend data can result in significant financial loss, reputational damage, regulatory penalties if sensitive customer or corporate data is compromised, and a complete loss of trust from clients and partners.

Immediate Action: Immediately apply the security patch provided by the vendor to update all instances of Glutton Multiple Products to the latest version. Following the update, conduct a thorough review of access logs for the affected service endpoints to identify any unauthorized or suspicious activity that may have occurred prior to patching.

Proactive Monitoring: Implement continuous monitoring of network traffic and access logs for the Glutton service endpoints. Specifically, look for direct access attempts from untrusted IP ranges, unusual patterns of API calls (e.g., high volume of DELETE or GET requests), and any connections that bypass normal application workflows.

Compensating Controls: If immediate patching is not feasible, implement network-level access controls as a temporary measure. Use firewalls, reverse proxies, or network segmentation to restrict access to the vulnerable Glutton V1 endpoints, allowing connections only from trusted and explicitly authorized application servers.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the ease of exploitation, it is strongly recommended that organizations prioritize the immediate patching of all affected Glutton products. Although this vulnerability is not currently on the CISA KEV list, its severity warrants an urgent response. Organizations should assume potential compromise and conduct a forensic review of access logs to detect any malicious activity that may have occurred before the patch was applied.