A critical vulnerability has been identified in anji-plus AJ-Report, a business intelligence and data visualization tool. This flaw allows an unauthenticated attacker to bypass security controls and execute arbitrary code on the server simply by sending a specially crafted URL. Successful exploitation would result in a complete system compromise, posing a severe risk to data confidentiality, integrity, and availability.

The vulnerability is an authentication bypass that leads to remote code execution (RCE). The application fails to properly secure certain endpoints or parse URL parameters, allowing an attacker to circumvent authentication mechanisms. By sending a malicious, specially constructed URL to an affected AJ-Report instance, a remote, unauthenticated attacker can gain the ability to execute arbitrary commands on the underlying operating system with the privileges of the application's user account.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the maximum potential impact. A successful attack would grant an adversary complete control over the affected server. This could lead to severe business consequences, including the theft or destruction of sensitive business data, deployment of ransomware, disruption of critical operations that rely on the reporting tool, and using the compromised server as a foothold to launch further attacks against the internal network.

Immediate Action: Immediately update all instances of anji-plus AJ-Report to the latest version available from the vendor, which addresses this vulnerability. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Implement continuous monitoring of web server logs for suspicious or malformed URL requests targeting the AJ-Report application, particularly those that appear to access administrative functions without prior authentication. Monitor for unusual outbound network connections from the server hosting AJ-Report and look for unexpected processes spawned by the application's service account, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, restrict network access to the AJ-Report web interface to only trusted IP addresses using a firewall. If available, deploy a Web Application Firewall (WAF) with rules designed to inspect and block the specific URL patterns known to exploit this vulnerability.

Public Exploit Available: True

Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability represents a clear and present danger to the organization. We strongly recommend that all vulnerable instances of anji-plus AJ-Report be patched immediately. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and it should be treated with the highest priority. Deferring this patch will leave critical systems exposed to complete compromise.