A critical remote code execution vulnerability has been identified in the Crafty Controller software. This flaw allows an attacker with an existing account to inject malicious code through the Webhook Template feature, potentially leading to a full compromise of the underlying server. Successful exploitation could result in data theft, service disruption, and unauthorized access to the network.

This is an input neutralization vulnerability, specifically a Server Side Template Injection (SSTI), within the Webhook Template component of Crafty Controller. A remote, authenticated attacker can craft a malicious payload containing template engine syntax and submit it via the webhook template. The application fails to properly sanitize this input, causing the server to execute the injected code, which results in remote code execution (RCE) with the privileges of the application's service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9. A successful exploit would grant an attacker complete control over the affected server, leading to severe consequences. Potential impacts include the exfiltration of sensitive data, deployment of ransomware, manipulation or destruction of critical information, and using the compromised system as a pivot point to attack other internal network resources. The requirement for authentication slightly mitigates the risk, but this is still a critical threat if credentials are weak, stolen, or user registration is open.

Immediate Action: Update all instances of Crafty Controller to the latest version provided by the vendor to patch the vulnerability. After patching, review application and access logs for any evidence of malicious activity or exploitation attempts targeting the Webhook Template component.

Proactive Monitoring: Monitor application logs for suspicious or malformed payloads within webhook template configurations. System administrators should watch for unexpected processes spawned by the Crafty Controller application user and monitor for anomalous outbound network traffic from the server that could indicate a command-and-control connection.

Compensating Controls: If immediate patching is not feasible, restrict access to the Webhook Template functionality to a limited set of highly trusted administrative accounts. A Web Application Firewall (WAF) could be configured with rules to detect and block common SSTI attack patterns as a temporary mitigating control.

Public Exploit Available: False

This vulnerability poses a critical and immediate threat to the organization. Given the near-maximum CVSS score and the risk of a full system compromise, immediate action is required. All system owners must prioritize the deployment of the vendor-supplied security update to all affected Crafty Controller instances without delay. Although this CVE is not currently on the CISA KEV list, its high severity makes it a prime candidate for future inclusion and widespread exploitation.