A critical vulnerability has been identified in the Statistical Database System developed by Gotac, which completely lacks authentication for critical functions. This flaw allows any remote attacker to connect to the database without credentials and gain full control to read, modify, or delete all stored data. Immediate action is required to prevent a catastrophic data breach, loss of data integrity, and severe operational disruption.

The vulnerability is a critical Missing Authentication flaw. The database system fails to implement any authentication mechanism for interfaces that control data manipulation. A remote, unauthenticated attacker can directly connect to the exposed database service and execute commands with high-level privileges, effectively bypassing all security controls. Exploitation is trivial and involves sending crafted requests to the database to read, write, or delete information without needing a username, password, or any prior access.

This vulnerability carries a critical severity rating with a CVSS score of 9.8. Exploitation could have a devastating business impact, leading to a complete compromise of the database's confidentiality, integrity, and availability. Potential consequences include a major breach of sensitive statistical data, leading to regulatory fines and reputational damage; manipulation of critical data, resulting in flawed business intelligence and financial loss; and the complete deletion of the database, causing catastrophic operational downtime and potentially permanent data loss.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately. Update the Statistical Database System developed by Gotac to the latest version across all affected assets to eliminate the vulnerability. After patching, review access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Continuously monitor database and application access logs for any connections originating from untrusted or unexpected IP addresses. Scrutinize logs for an unusual volume of read, write, or delete operations.
• Network Traffic: Monitor for anomalous outbound traffic from database servers, which could indicate data exfiltration. Set up alerts for large data transfers or connections to unknown destinations.
• System Integrity: Use file integrity monitoring to detect unauthorized changes to database files or system configurations.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Network Segmentation: Use a firewall or network access control lists (ACLs) to strictly limit access to the database server. Ensure that only trusted application servers can connect to the database port, and block all other access, especially from the public internet.
• Authentication Layer: If possible, place a reverse proxy with a mandatory authentication layer in front of the database service as a temporary measure.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the trivial nature of exploitation, this vulnerability represents an immediate and severe risk to the organization. We strongly recommend that all affected instances of the Statistical Database System be patched immediately as the highest priority. Although this CVE is not currently on the CISA KEV list, its critical impact makes it a prime candidate for future inclusion. If patching is delayed for any reason, compensating controls must be implemented without delay to prevent a compromise.