A critical vulnerability has been identified in the ActADUR local server product, developed by ProTNS. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on the affected host system. Successful exploitation would grant the attacker full control over the server, leading to potential data theft, complete system compromise, and a pivot point for further network intrusion.

The vulnerability, described as "Improper Neutralization of Special Elements," allows for Remote Code Inclusion. An unauthenticated attacker can send a specially crafted request to the vulnerable server. The application fails to properly sanitize user-supplied input, allowing the attacker to specify a path to a remote file. The server then includes and executes the code from this remote location with the privileges of the application service, resulting in full Remote Code Execution (RCE) on the host system.

This vulnerability is rated as critical with a CVSS score of 9.6. Exploitation could lead to a complete compromise of the affected server's confidentiality, integrity, and availability. Potential consequences include the exfiltration of sensitive corporate or customer data, deployment of ransomware, service disruption, and reputational damage. An attacker could also use the compromised system as a foothold to move laterally within the organization's network, escalating the scope and impact of the breach.

Immediate Action: The primary remediation is to update all affected instances of "Unknown Multiple Products" containing the ActADUR component to the latest version provided by the vendor. Before patching, organizations should perform system backups. After deployment, system functionality should be verified. In line with the advisory, organizations must actively monitor for exploitation attempts and review access logs for any signs of compromise that may have occurred prior to patching.

Proactive Monitoring: Monitor web server and application logs for unusual requests, particularly those containing URLs, IP addresses, or unexpected file paths in input parameters. Network traffic should be monitored for suspicious outbound connections from the server, which could indicate the system is attempting to fetch a malicious remote file. System monitoring should be configured to alert on the creation of unexpected files or the execution of unauthorized processes.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Restrict network access to the affected server using a firewall or network access control list (ACL) to allow connections only from trusted IP addresses.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block Remote File/Code Inclusion attack patterns.
• Ensure the application is running with the lowest possible user privileges to limit the impact of a potential compromise.

Public Exploit Available: false

Given the critical severity and potential for complete system compromise, organizations must treat this vulnerability with the highest urgency. All systems running the affected ActADUR local server product should be identified and patched immediately. Although it is not yet on the CISA KEV list, the high impact makes proactive patching essential. If patching must be delayed, the compensating controls listed above should be implemented without delay to reduce the immediate risk of exploitation.