A critical vulnerability has been identified in Directus, a real-time API and App dashboard. This flaw allows an unauthenticated attacker to exploit the file update mechanism, potentially leading to a complete system compromise, remote code execution, and unauthorized access to the underlying SQL database. Due to the high severity and lack of required authentication, immediate remediation is strongly advised to prevent data theft and service disruption.

The vulnerability exists within the file update functionality of the Directus platform. An improper authorization check allows an unauthenticated attacker to send a specially crafted request to the file update API endpoint. By manipulating this request, the attacker can bypass security controls and upload or overwrite files on the server, including executable scripts (e.g., a web shell). Successful exploitation results in remote code execution (RCE) with the permissions of the Directus web server process, granting the attacker full control over the application and its data.

This vulnerability is rated as critical severity with a CVSS score of 9.3, posing a significant and immediate threat to the organization. Successful exploitation could lead to a complete compromise of the Directus server, resulting in severe consequences such as the exfiltration of sensitive data from the connected database, deployment of ransomware, service interruption, and reputational damage. The compromised server could also be used as a foothold to launch further attacks against the internal network, escalating the scope of the security breach.

Immediate Action: Immediately upgrade all instances of Directus to version 11.9.3 or later, which contains the patch for this vulnerability. After patching, it is crucial to review server access logs and file system integrity for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes reviewing web server logs for unusual POST requests to file upload or update endpoints from unknown IP addresses, monitoring the file system for the creation of unexpected files (e.g., .php, .jsp, .sh files) in publicly accessible directories, and scrutinizing outbound network traffic from the Directus server for connections to suspicious destinations.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Use a Web Application Firewall (WAF) with rules specifically designed to block or alert on malicious file upload attempts.
• Restrict network access to the Directus API and application dashboard to only trusted IP addresses.
• If possible, temporarily disable public-facing file upload functionality until the patch can be applied.

Public Exploit Available: false

Given the critical CVSS score of 9.3 and the fact that this vulnerability can be exploited by an unauthenticated attacker, this issue requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patch to all affected Directus instances without delay. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for widespread exploitation. If patching is delayed, the compensating controls listed above should be implemented as an urgent temporary measure.