A critical vulnerability has been identified in multiple Document Management System products from Excellent Infotek. This flaw allows an unauthenticated remote attacker to upload malicious files, such as a web shell, which can be executed to gain complete control over the affected server. Successful exploitation could lead to data theft, system compromise, and further attacks on the internal network.

The vulnerability is an Arbitrary File Upload that exists within the document management application. Due to insufficient validation of file types and content, an unauthenticated remote attacker can bypass security checks and upload a malicious file (e.g., a PHP, JSP, or ASPX web shell) to a web-accessible directory on the server. After a successful upload, the attacker can navigate to the file's URL to execute arbitrary code with the permissions of the web server process, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on the business, leading to a complete breach of the system's confidentiality, integrity, and availability. Potential consequences include unauthorized access to and exfiltration of sensitive documents, deployment of ransomware, destruction of data, and the use of the compromised server as a pivot point to attack other internal systems. This poses a significant risk to organizational data security, operational continuity, and regulatory compliance.

Immediate Action: Immediately apply the security updates provided by Excellent Infotek to all affected Document Management System instances to patch the vulnerability. Before and after patching, review web server and application logs for indicators of compromise, such as suspicious file uploads or unusual requests to unknown files.

Proactive Monitoring: Implement enhanced monitoring of the affected systems. Specifically, look for POST requests to file upload endpoints containing executable file extensions (e.g., .php, .jsp, .aspx, .sh), check for unexpected files being written to web directories, and monitor for outbound network connections from the web server to untrusted IP addresses. Anomaly detection on running processes can also help identify the execution of a web shell.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically configured to block the upload of executable file types.
• Configure the web server to disallow script execution in directories where files are uploaded.
• Restrict network access to the application, allowing connections only from trusted IP ranges.
• Implement file integrity monitoring to alert on the creation of new, unauthorized files in web directories.

Public Exploit Available: false

Given the critical nature of this vulnerability, immediate action is required. We strongly recommend that all affected Document Management System products be patched immediately, without delay. Although this CVE is not currently on the CISA KEV list, its high impact and ease of exploitation make it a prime candidate for inclusion. Organizations should treat this as an active threat and prioritize remediation to prevent a potentially devastating system compromise.