A critical remote code execution vulnerability, identified as CVE-2025-11023, has been discovered in multiple products. This flaw allows an unauthenticated, remote attacker to trick the affected software into running malicious code from an external source, potentially leading to a complete system compromise, data theft, and service disruption. Due to the ease of exploitation and the critical severity rating, immediate remediation is strongly advised.

This vulnerability is a Remote File Inclusion (RFI) flaw within the underlying PHP code of the affected software, specifically noted in ArkSigner Software. The application fails to properly validate user-supplied input that is used in an include or require statement. An unauthenticated remote attacker can exploit this by crafting a request that points a parameter to a malicious PHP file hosted on an attacker-controlled server. The vulnerable application will then fetch and execute this external file, granting the attacker the ability to run arbitrary code on the server with the permissions of the web server process.

This vulnerability is rated as critical with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected server's confidentiality, integrity, and availability. The business impact includes, but is not limited to, the theft of sensitive corporate or customer data, deployment of ransomware, disruption of business-critical services hosted on the server, and reputational damage. The compromised system could also be used as a pivot point to launch further attacks against the internal network, escalating the overall risk to the organization.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor.

• Patch: Update Inclusion of Functionality from Untrusted Control Multiple Products to the latest version immediately.
• Monitor: After patching, monitor for any signs of exploitation attempts that may have occurred prior to the update. Review web server access logs and system logs for any anomalous activity.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for requests containing external URLs (e.g., http://, https://) in URL parameters.
• Network Traffic: Monitor for unusual outbound network connections from the affected servers to unknown IP addresses, as this could indicate the server is attempting to download a malicious file.
• File Integrity Monitoring: Check for the creation of unexpected files (e.g., web shells) in web-accessible directories.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block RFI attack patterns.
• PHP Hardening: In the php.ini configuration file, disable allow_url_include and allow_url_fopen to prevent PHP from including remote files. This is a highly effective control against this specific attack vector.
• Egress Filtering: Implement strict firewall rules to block all outbound traffic from the server, only allowing connections to known and trusted destinations.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the simplicity of exploitation, this vulnerability poses a severe and immediate threat to the organization. The highest priority is to apply the vendor-supplied patches to all affected systems without delay. If patching is not immediately feasible, the compensating controls, particularly disabling allow_url_include in the PHP configuration, should be implemented as a temporary emergency measure. Organizations should assume this vulnerability will be actively exploited and must proactively monitor for indicators of compromise.