A critical command injection vulnerability has been identified in the FTP-Flask-python software component, allowing an unauthenticated remote attacker to execute arbitrary commands on the underlying server. Successful exploitation of this flaw could lead to a complete system compromise, enabling data theft, service disruption, or further intrusion into the network. Due to its high severity and ease of exploitation, immediate remediation is required.

This vulnerability allows for unauthenticated remote code execution (RCE). The flaw exists within the "Upload File" functionality of the /ftp.html endpoint. An attacker can craft a malicious request containing a specially formatted filename that includes OS commands. The application fails to properly sanitize this user-supplied input before passing it to a system shell command, causing the embedded commands to be executed with the privileges of the web application user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit grants an attacker complete control over the affected server, posing a significant risk to the organization. Potential consequences include the exfiltration of sensitive corporate or customer data, deployment of ransomware, manipulation or destruction of data, and using the compromised server as a pivot point to launch further attacks against the internal network. The fact that the vulnerability is exploitable by an unauthenticated attacker over the network dramatically increases the risk profile, as no prior access or credentials are required.

Immediate Action: Immediately apply the vendor-supplied security update to patch the FTP-Flask-python component. If this component is part of a larger product, install the update provided by the product vendor. After patching, it is critical to review access logs and system activity for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server access logs for anomalous requests to the /ftp.html endpoint, specifically looking for filenames containing shell metacharacters (e.g., |, &, ;, $, (, )). Monitor for unexpected outbound network connections from the server, which could indicate a reverse shell. Additionally, monitor for suspicious processes being spawned by the web server's user account.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Use a Web Application Firewall (WAF) to create rules that block requests to /ftp.html containing suspicious patterns or shell metacharacters in the filename parameter.
• If the file upload functionality is not business-critical, disable the /ftp.html endpoint entirely.
• Restrict network access to the application, particularly the vulnerable endpoint, to only trusted IP address ranges.

Public Exploit Available: False

This vulnerability represents a critical and immediate threat to the organization. The potential for unauthenticated remote code execution can lead to a full system compromise with minimal effort from an attacker. We strongly recommend that the remediation plan be executed with the highest priority and that all affected systems be patched immediately. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severe impact makes it a prime candidate for future inclusion and a top priority for patching.