A critical vulnerability has been identified in the Made I.T. Forms product, which allows an unauthenticated attacker to upload a malicious file, known as a web shell. Successful exploitation gives the attacker complete control over the affected web server, potentially leading to data theft, service disruption, and further attacks into the internal network. Due to the extreme severity (CVSS 9.9), immediate remediation is required to prevent a full system compromise.

The vulnerability is an Unrestricted File Upload, which exists because the application's file upload functionality fails to properly validate the type of file being uploaded. An attacker can bypass security checks and upload a file containing executable code (e.g., a PHP, ASPX, or JSP script), commonly referred to as a "web shell." After a successful upload, the attacker can access the malicious file via a URL, causing the web server to execute the code and granting the attacker remote command execution on the server with the permissions of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9. A successful exploit results in a complete compromise of the web server's confidentiality, integrity, and availability. The business impact includes a high risk of sensitive data exfiltration (e.g., customer data, intellectual property), financial loss, and severe reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, significantly expanding the scope of the breach.

Immediate Action: Immediately update the Made I.T. Forms product to the latest version available (newer than 2.9.0) as per the vendor's guidance. After patching, monitor for any signs of post-remediation exploitation attempts and conduct a thorough review of historical web server and application access logs for any indicators of compromise preceding the patch.

Proactive Monitoring: Implement monitoring for suspicious activity, including:

• Reviewing web server logs for uploads of files with executable extensions (.php, .phtml, .aspx, .jsp, etc.) to unexpected directories.
• Monitoring for outbound network traffic from the web server to unusual IP addresses or ports.
• Searching for web log entries where a recently uploaded file is accessed, especially if followed by command-line parameters (e.g., .../uploads/shell.php?cmd=...).
• Using file integrity monitoring (FIM) to detect the creation of unauthorized files in web-accessible directories.

Compensating Controls: If patching cannot be performed immediately, apply the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block the upload of malicious or executable file types.
• If possible, disable the file upload functionality within the Forms product until a patch can be applied.
• Configure the web server to deny script execution permissions in the directory where files are uploaded.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete system compromise, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all systems running affected versions of Made I.T. Forms be patched immediately. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact and the simplicity of exploitation make it an urgent priority for remediation. Do not wait for evidence of active exploitation before taking action.