A high-severity vulnerability has been identified in multiple uxper products, allowing for remote code execution. An unauthenticated remote attacker can exploit this flaw to trick the server into downloading and running malicious code from an external source. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, and further intrusions into the network.

This vulnerability is a Remote File Inclusion (RFI) flaw within the PHP code of the affected software. The application fails to properly sanitize user-supplied input that is used to construct a filename for an include or require statement. An unauthenticated remote attacker can craft a special request, providing a URL to a malicious file hosted on an attacker-controlled server. The vulnerable uxper application will then fetch and execute this remote file, granting the attacker the ability to run arbitrary code with the permissions of the web server process.

This is a High severity vulnerability with a CVSS score of 8.1, posing a significant risk to the organization. A successful exploit allows for unauthenticated remote code execution, which can lead to a complete compromise of the affected server. Potential consequences include the exfiltration of sensitive corporate or customer data, deployment of ransomware, installation of cryptocurrency miners, or using the compromised server as a staging point for further attacks against the internal network. Such an incident could result in severe financial loss, reputational damage, and regulatory penalties.

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately, prioritizing internet-facing servers. After patching, it is critical to monitor for any signs of post-exploitation activity by reviewing web server access logs, system logs, and outbound network traffic for indicators of compromise that may have occurred prior to the patch.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts. In web server access logs, look for requests containing full URLs (e.g., "http://", "https://") in GET or POST parameters. Monitor for unusual outbound network connections from the web server, especially to unknown IP addresses or domains. On the host, monitor for unexpected processes being spawned by the web server user (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Web Application Firewall (WAF): Implement or update WAF rules to block requests containing common RFI patterns and external URLs in parameters.
• PHP Configuration: On the server, disable allow_url_include in the php.ini configuration file. This is a primary server-side defense against RFI vulnerabilities.
• Egress Filtering: Configure firewalls to block or restrict outbound traffic from the web server to the internet, preventing it from connecting to an attacker's server to download the malicious file.

Public Exploit Available: false

Due to the High severity (CVSS 8.1) and the critical impact of remote code execution, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches to all affected uxper products without delay. While this vulnerability is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. Organizations must treat this as an active threat and, if patching is delayed, immediately implement the compensating controls outlined above to reduce the risk of compromise.