A critical authentication bypass vulnerability, identified as CVE-2024-50645, has been discovered in MallChat products. This flaw allows an unauthenticated attacker to access the application's API, potentially leading to unauthorized access to sensitive data, system manipulation, and complete service compromise. Due to its critical severity and ease of exploitation, immediate remediation is required to prevent significant security incidents.

The vulnerability is an authentication bypass in the API service. The application fails to properly enforce authentication checks for API endpoints, allowing requests to be processed without a valid security token. An attacker can exploit this by crafting and sending direct API requests to the server without providing any credentials, thereby gaining the same level of access as an authenticated user.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant business disruption. Successful exploitation could grant an attacker complete control over the application's functions accessible via the API. This could lead to a severe data breach involving customer information or proprietary data, unauthorized modification or deletion of records, financial fraud, and service disruption. The resulting consequences include major reputational damage, regulatory fines, and loss of customer trust.

Immediate Action: Organizations must immediately apply the vendor-provided security updates to upgrade MallChat Multiple Products to the latest version. After patching, it is crucial to review access logs for any signs of anomalous activity or potential exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of the MallChat API endpoints. Security teams should look for API requests that lack an authentication token but receive a successful (e.g., HTTP 200 OK) response. Monitor for unusual spikes in API traffic, requests from untrusted IP ranges, or attempts to access high-privilege API functions.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) or API Gateway with strict rules to block any API requests that do not contain a valid authentication header.
• Restrict network access to the vulnerable API, allowing connections only from trusted, internal IP addresses.
• Temporarily disable the affected application or its API functionality if it is not business-critical.

Public Exploit Available: false

This vulnerability poses a severe and immediate risk to the organization. Due to the critical CVSS score of 9.8, we strongly recommend that the vendor's patch be applied on an emergency basis across all affected systems. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation. Organizations must prioritize this remediation activity and verify that compensating controls are in place until patching is complete.