A high-severity vulnerability has been identified in multiple Agiloft products, specifically within Release 28. The software contains several accounts with hard-coded, default credentials, which could allow an attacker with initial local access to the system to escalate their privileges, potentially gaining administrative control to compromise data and system integrity.

The vulnerability stems from the existence of built-in user accounts with static, default credentials within the Agiloft software. An attacker who has already gained low-privileged access to the underlying server hosting the Agiloft application can exploit this weakness. By authenticating as one of these default users, the attacker can escalate their privileges, bypassing normal access controls to gain elevated permissions within the application or the host system itself.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have a significant business impact by compromising the confidentiality, integrity, and availability of data managed within the Agiloft platform, which often includes sensitive contract, legal, and customer information. An attacker with escalated privileges could exfiltrate sensitive data, modify critical business workflows and records, or disrupt service operations, leading to potential regulatory fines, financial loss, and reputational damage.

Immediate Action:

• Immediately apply the security patches provided by Agiloft to all affected systems. The patch is expected to remove or force password changes for the vulnerable default accounts.
• Conduct a thorough audit of all user accounts within the Agiloft application and the underlying operating system. Disable or delete any unnecessary accounts and ensure all remaining accounts adhere to strong password policies.
• Review user permissions and access controls to enforce the principle of least privilege, ensuring users only have the access required for their roles.

Proactive Monitoring:

• Monitor system and application logs for any login attempts or activity from known default account names.
• Implement alerts for unusual privilege escalation activities on the host server, such as the creation of new administrative accounts or unexpected processes running with elevated rights.
• Review audit trails within the Agiloft application for any unauthorized changes to configurations, user roles, or critical data.

Compensating Controls:

• If patching cannot be performed immediately, attempt to manually identify the default accounts and either disable them or change their passwords to strong, unique values.
• Implement strict host-based security controls, such as limiting shell access and enhancing process monitoring, to prevent or detect initial compromise attempts.
• Restrict network access to the Agiloft application and its underlying server to only trusted and necessary sources.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the ease of exploitation for an attacker with existing local access, immediate patching is strongly recommended. Organizations should prioritize the deployment of the vendor-supplied update across all systems running Agiloft Release 28. The risk is magnified in environments where multiple users have shell access to the host server. Following patching, a comprehensive review of all user accounts and permissions is critical to ensure a strong, long-term security posture and mitigate risks from similar configuration weaknesses.