A critical vulnerability has been identified in the Stirling-PDF application, which could allow an unauthenticated remote attacker to execute arbitrary code on the server where the software is hosted. Successful exploitation could lead to a complete system compromise, enabling attackers to steal sensitive data, disrupt operations, or use the compromised server for further malicious activities. Organizations using this software face a significant risk of data breach and system takeover.

The vulnerability exists within the file processing module of the Stirling-PDF web application. Due to improper validation of user-supplied data within uploaded PDF files, a specially crafted file can trigger a command injection flaw. An unauthenticated remote attacker can upload a malicious PDF, which, when processed by the application, executes arbitrary commands on the underlying server with the privileges of the web application user. This allows an attacker to gain initial access to the system, enabling them to read, write, or delete files and potentially establish a persistent foothold.

This vulnerability is rated as High severity with a CVSS score of 8.6. A successful exploit would have a significant business impact, potentially leading to a complete compromise of the server hosting the Stirling-PDF application. This could result in the exfiltration of sensitive business or personal documents processed by the application, leading to regulatory fines, reputational damage, and loss of customer trust. Furthermore, a compromised server could be used as a pivot point to attack other internal network resources, expanding the scope of the breach and increasing the overall risk to the organization.

Immediate Action: Immediately apply the security updates provided by the vendor to all vulnerable instances of Stirling-PDF. Before and after patching, actively monitor for indicators of compromise by reviewing web server and application access logs for unusual POST requests or error messages related to file processing.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for requests to file upload endpoints from unknown or suspicious IP addresses. Check application logs for errors or warnings that could indicate a failed exploitation attempt.
• Network Traffic: Monitor for anomalous outbound network connections from the Stirling-PDF server, which could indicate a reverse shell or data exfiltration.
• System Behavior: Look for unexpected processes running under the web server's user account, or the creation of suspicious files in web-accessible directories.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, deploy a WAF with rules designed to inspect and block malicious file uploads and command injection payloads.
• Network Segmentation: Isolate the server hosting Stirling-PDF from critical internal networks to contain the impact of a potential compromise.
• Least Privilege: Ensure the application service account has the minimum necessary permissions to function, limiting an attacker's ability to move laterally or cause damage post-exploitation.

Public Exploit Available: True

Given the High severity (CVSS 8.6) of this vulnerability and the public availability of exploit code, immediate action is required. Organizations are strongly advised to apply the vendor-supplied security patches to all affected Stirling-PDF instances without delay. Although this CVE is not yet listed on the CISA KEV catalog, its critical nature and the ease of exploitation make it a prime target for attackers. Prioritize patching systems exposed to the internet and implement the recommended monitoring and compensating controls to mitigate risk until patching is complete.