A high-severity vulnerability has been discovered in the password change functionality of multiple products from the vendor "issue." This flaw could allow an attacker to change user passwords without proper authorization, potentially leading to a complete system compromise by escalating privileges to an administrative level. Organizations are urged to apply the vendor-supplied security patches immediately to prevent unauthorized access and protect sensitive data.

The vulnerability exists within the changePassword method located in the /usr/share/php/openmediavault/system/user file. This function fails to properly validate or enforce authorization checks when a password change is requested. An authenticated attacker with low-level privileges could exploit this flaw by crafting a specific request to change the password of any other user on the system, including administrative accounts. Successful exploitation results in privilege escalation, granting the attacker unauthorized administrative control over the affected system.

This vulnerability is rated as High severity with a CVSS score of 7.8, posing a significant risk to the organization. Successful exploitation could lead to a full system compromise, allowing an attacker to access, modify, or exfiltrate sensitive data, disrupt critical services, and install malicious software. The primary business risks include data breaches, loss of system integrity and confidentiality, operational downtime, and the potential for an attacker to use the compromised system as a pivot point for further attacks within the corporate network.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. After patching, it is crucial to review system access logs for any unauthorized password changes or suspicious administrative logins that may have occurred prior to the patch application.

Proactive Monitoring: Implement enhanced monitoring of authentication and system logs. Specifically, look for multiple failed login attempts followed by a successful one from an unusual IP address, password change events for administrative accounts initiated by non-administrative users, and any unexpected commands being executed by the web server process.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict network access to the device's management interface to a dedicated and trusted administrative network or specific IP addresses.
• Deploy a Web Application Firewall (WAF) with rulesets designed to inspect and block malicious requests targeting the password change endpoint.
• Enforce Multi-Factor Authentication (MFA) on all administrative accounts to provide an additional layer of security, mitigating the risk of a compromised password.

Public Exploit Available: false

Given the high CVSS score of 7.8 and the critical impact of privilege escalation, we strongly recommend that organizations prioritize patching this vulnerability immediately, starting with internet-facing systems. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime target for future exploitation. Organizations should treat this as an urgent threat and apply all recommended remediation and monitoring actions without delay to prevent a potential system compromise.