A critical vulnerability has been discovered in multiple "low" products that allows a remote attacker with minimal privileges to take full control of an affected system. This flaw enables the attacker to upload and execute malicious code by exploiting a path traversal weakness, potentially leading to data theft, system compromise, and significant operational disruption.

The vulnerability exists within a file upload component of a PHP application used by multiple "low" products. The application fails to properly sanitize the filename input provided by the user. A remote attacker with low-level user privileges can exploit this by crafting a malicious filename containing path traversal sequences (e.g., ../../). This allows the attacker to bypass the intended storage directory and write a file, such as a malicious Python script, to an arbitrary location on the server's filesystem. If the attacker can place this script in a web-accessible directory or a location where it can be executed by another process, they can achieve remote code execution in the context of the web server or application user.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the organization. Successful exploitation could lead to a complete compromise of the affected server, granting an attacker the ability to execute arbitrary code. Potential consequences include the theft of sensitive data, disruption of critical business services, financial loss, and reputational damage. The compromised system could also be used as a foothold to launch further attacks against the internal network, escalating the overall impact.

Immediate Action: The vendor, low, has released security patches to address this vulnerability. All organizations must prioritize the immediate application of these patches, especially on internet-facing systems. System administrators should follow the vendor's specific guidance for installation and verification.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes reviewing web server and application logs for POST requests to file upload endpoints containing path traversal sequences (../) in filenames. Monitor for the creation of new or unexpected Python files in web-accessible or system directories. Additionally, monitor network traffic for unusual outbound connections from affected servers and look for unexpected processes running under the web server's user account.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks in file upload requests.
• If possible, disable the file upload functionality for low-privileged users or restrict it to only trusted administrative accounts.
• Harden file system permissions to ensure the web server's user account can only write to designated upload directories and cannot execute scripts from those locations.
• Ensure Endpoint Detection and Response (EDR) solutions are deployed and configured to monitor for and alert on suspicious process creation originating from the web server.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization due to the high likelihood of exploitation leading to remote code execution. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high CVSS score of 8.8 warrants immediate attention. We strongly recommend that all affected systems, particularly those exposed to the internet, be patched immediately per the vendor's advisory. If patching cannot be performed right away, implement the compensating controls outlined above and enhance monitoring to detect any potential exploitation attempts.