A critical vulnerability has been identified in the Saurus CMS Community Edition, assigned a maximum severity score of 10.0. This flaw allows an unauthenticated attacker to remotely execute arbitrary code on the server, leading to a complete system compromise. Organizations using the affected software are at immediate risk of data theft, service disruption, and full server takeover.

The vulnerability exists within the custom DB::prepare() function of the Saurus CMS application. This function utilizes the preg_replace() PHP function with the /e (PREG_REPLACE_EVAL) modifier, which has been deprecated due to its inherent security risks. The /e modifier instructs preg_replace() to treat the replacement string as PHP code and execute it. An attacker can craft a malicious input that, when processed by this function as a SQL query parameter, will be executed as code on the server, resulting in Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation would grant an attacker complete control over the web server hosting the Saurus CMS instance. The potential consequences include, but are not limited to, theft of all data stored in the CMS database (such as customer information, user credentials, and proprietary content), unauthorized modification of the website, service disruption, and using the compromised server to launch further attacks against the organization's internal network or external targets. This could lead to significant financial loss, regulatory penalties, and severe reputational damage.

Immediate Action: The most effective mitigation is to immediately apply the security updates provided by the vendor. Administrators must Update Saurus CMS Community Edition Multiple Products to the latest version to patch the vulnerable DB::prepare() function. Following the update, it is crucial to monitor for exploitation attempts and review access logs for any signs of compromise that may have occurred prior to patching.

Proactive Monitoring:

• Web Server Logs: Scrutinize web server (e.g., Apache, Nginx) access and error logs for unusual POST or GET requests. Look for requests containing PHP code, shell commands, or suspicious character sequences (e.g., eval(), system(), passthru()) within query parameters.
• File Integrity Monitoring (FIM): Implement FIM to detect unauthorized changes to core CMS files or the creation of new files (e.g., web shells) in web-accessible directories.
• Network Traffic: Monitor for anomalous outbound connections from the Saurus CMS server, which could indicate a successful compromise and communication with an attacker's command-and-control server.

Compensating Controls: If patching cannot be performed immediately, the following temporary controls can reduce the risk of exploitation:

• Web Application Firewall (WAF): Deploy a WAF with a strict ruleset designed to block common code injection and command injection attack patterns in web requests.
• Network Segmentation: Isolate the server hosting Saurus CMS from other critical internal systems to prevent lateral movement in the event of a compromise.
• Least Privilege: Ensure the web server's user account has the minimum permissions necessary to function, limiting an attacker's ability to impact the underlying operating system.

Public Exploit Available: False

Given the critical severity (CVSS 10) of this vulnerability and the high probability of exploit development, we strongly recommend that organizations treat this as an emergency. Immediate patching of all affected Saurus CMS instances is the highest priority. If patching is delayed for any reason, compensating controls, especially a properly configured Web Application Firewall, must be implemented without delay. Although this CVE is not currently on the CISA KEV catalog, its critical nature makes it a prime candidate for future inclusion, and organizations should act proactively to prevent a potential compromise.