A critical vulnerability has been discovered in the PLY (Python Lex-Yacc) library, allowing for remote code execution. The flaw stems from an undocumented and unsafe feature that deserializes user-supplied data without validation, enabling an attacker to run arbitrary code and completely compromise the affected system. Due to its high severity and the stealthy nature of the undocumented feature, this vulnerability poses a significant risk to organizations.

The vulnerability exists within the yacc() function of the PLY library, which contains an undocumented parameter named picklefile. This parameter accepts a path to a file which is then deserialized using Python's pickle.load() function. As pickle.load() does not validate the data it processes, an attacker can craft a malicious pickle file (.pkl) containing embedded code. By controlling the input to the picklefile parameter, an attacker can trick the application into loading this malicious file, resulting in Remote Code Execution (RCE) on the host system.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for complete system compromise. A successful attack would grant an adversary full control over the affected application server, leading to severe consequences such as theft of sensitive data, deployment of ransomware, or using the compromised system to launch further attacks against the internal network. The undocumented nature of the feature introduces a significant risk of a persistent and difficult-to-detect backdoor, potentially leading to long-term compromise, reputational damage, and major business disruption.

Immediate Action: Immediately apply the security update provided by the vendor to patch the PLY library to the latest version. After patching, review system and application access logs for any signs of exploitation, such as unexpected file operations involving .pkl files or unusual process execution.

Proactive Monitoring:

• Log Analysis: Scrutinize application logs for any usage of the yacc() function where the picklefile parameter is present. Monitor file system audit logs for the creation or modification of .pkl files in unexpected locations.
• Network Monitoring: Watch for unusual outbound connections from servers running applications with the PLY library, as this could indicate a successful compromise and communication with a command-and-control server.
• Endpoint Detection: Use endpoint security tools to detect suspicious process execution originating from the application process, which could signal that the RCE vulnerability has been exploited.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Input Sanitization: Strictly validate and sanitize all user-controlled input that could potentially be passed to the vulnerable function.
• Web Application Firewall (WAF): Deploy WAF rules to block requests containing patterns indicative of this attack, such as file paths ending in .pkl.
• Principle of Least Privilege: Run the affected application with the minimum permissions necessary to function, thereby limiting the potential impact of a successful code execution exploit.

Public Exploit Available: True

Given the critical CVSS score of 9.8 and the direct path to remote code execution, this vulnerability requires immediate attention. We strongly recommend that all affected systems be patched on an emergency basis. Due to the ease of exploitation, organizations should assume they are being targeted and hunt for evidence of compromise. Although this vulnerability is not currently on the CISA KEV list, its severity and the availability of a public exploit warrant treating it with the highest priority.