A critical vulnerability has been identified in Austrian Archaeological Institute's OpenAtlas software, which contains a hardcoded, unchangeable password for the administrator account. This flaw allows any attacker with knowledge of this password to easily gain complete control over the system. Successful exploitation could lead to a total compromise of the application, resulting in data theft, data destruction, and significant operational disruption.

The OpenAtlas application contains a hardcoded credential (CWE-798: Use of Hard-coded Credentials) for the 'Administrator' user account. This means a static, default password is built directly into the software's code and cannot be changed by users. An unauthenticated remote attacker can exploit this vulnerability by simply obtaining the hardcoded password from public sources and using it to log into the application's administrative interface, granting them the highest level of privilege.

This vulnerability is rated as Critical with a CVSS score of 9.8, reflecting its extreme severity and ease of exploitation. An attacker with administrative access can perform any action within the OpenAtlas application, including viewing, modifying, and deleting all archaeological project data, user information, and system configurations. The potential consequences include a severe data breach of sensitive research, intellectual property theft, complete data loss, and significant reputational damage to the organization. The risk is exceptionally high as no sophisticated tools are required for exploitation, only knowledge of the publicly available password.

Immediate Action: Immediately apply the security update provided by the Austrian Archaeological Institute to patch the vulnerability. After patching, it is critical to thoroughly review all system and application access logs for any unauthorized or suspicious logins to the administrator account that may have occurred prior to the update.

Proactive Monitoring: Implement continuous monitoring of application logs with a specific focus on administrator account activity. Configure alerts for any successful administrator logins, especially from unknown or external IP addresses. Monitor for unusual activities such as mass data exports, significant configuration changes, or the creation of new privileged accounts.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Use a firewall or network access control lists (ACLs) to restrict access to the application's login page to only trusted IP addresses.
• Place the application behind a Web Application Firewall (WAF) and create a rule to block or alert on any login attempts to the default administrator account.
• If the application allows, disable the default administrator account immediately.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the public availability of the exploit, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all affected instances of Austrian Archaeological Institute products be patched immediately as the highest priority. Organizations must operate under the assumption of compromise and conduct a thorough investigation of access logs to identify any malicious activity. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion, and it must be treated with the utmost urgency.