A critical vulnerability has been identified in the Paymenter webshop solution, assigned a CVSS score of 9.9. The flaw allows an authenticated user to upload arbitrary files through the ticket attachment feature, which can lead to remote code execution and a complete compromise of the underlying server. Organizations using affected versions are at immediate risk of data theft, service disruption, and further network intrusion.

The vulnerability exists within the ticket attachments functionality of the Paymenter application. Due to insufficient validation of file types and content, an authenticated attacker can upload a malicious file, such as a web shell, disguised as a legitimate attachment. Once uploaded, the attacker can navigate to the file's location on the server and execute it, gaining full control over the web server with the permissions of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the low complexity of the attack and the high impact on confidentiality, integrity, and availability. A successful exploit could lead to Remote Code Execution (RCE), allowing an attacker to take complete control of the affected server. Potential consequences include theft of sensitive customer and payment data, unauthorized modification of the webshop, complete service disruption, and using the compromised server as a pivot point to attack other internal network resources. This poses a severe risk to business operations, customer trust, and regulatory compliance.

Immediate Action: Immediately update all instances of Paymenter to version 1.2.11 or a later version to patch the vulnerability. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review web server access logs for suspicious file uploads or access patterns that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for suspicious POST requests to the ticket attachment upload endpoint, particularly those containing files with executable extensions (e.g., .php, .phtml, .sh). Monitor file systems for the creation of unexpected files in web-accessible directories and watch for unusual outbound network traffic from the web server, which could indicate a reverse shell or data exfiltration.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Deploy a Web Application Firewall (WAF) with rules to block the upload of suspicious or executable file types.
• Temporarily disable the ticket attachment functionality if it is not a business-critical feature.
• Harden web server permissions to ensure that directories where attachments are stored do not have execute permissions.
• Implement file integrity monitoring to detect the creation of unauthorized files in the web root.

Public Exploit Available: false

Due to the critical CVSS score of 9.9, this vulnerability presents a severe and immediate threat to the organization. All system owners must prioritize the deployment of the vendor-supplied patch to version 1.2.11 or later without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact and potential for full system compromise make it a prime candidate for future inclusion. Treat this as an emergency patching directive; if patching is not possible, implement the recommended compensating controls immediately while a permanent fix is scheduled.