A critical remote code execution vulnerability, identified as CVE-2025-58428, has been discovered in The Multiple Products. This flaw allows a remote attacker with valid user credentials to execute arbitrary system commands, potentially leading to a complete compromise of the affected system. Due to its critical severity and the potential for full system takeover, immediate remediation is strongly advised.

The vulnerability exists within the TLS4B ATG system's SOAP-based web services interface. An authenticated attacker can send a specially crafted SOAP request to the web services handler containing malicious system commands. Due to improper input validation, the application executes these commands with the privileges of the running service, leading to authenticated remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation could lead to a complete compromise of the affected server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data, unauthorized modification of system files and data, and deployment of ransomware or other malware. A successful attack could cause significant operational disruption, financial loss, reputational damage, and could allow an attacker to establish a foothold for further lateral movement within the network.

Immediate Action: Prioritize and apply the vendor-supplied security updates to all affected instances of The Multiple Products. All patching activities should follow established change management procedures. After patching, review access logs and application logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for unusual or malformed SOAP requests targeting the web services handler, particularly those containing shell command syntax (e.g., id, whoami, nc, curl).
• Network Traffic Analysis: Monitor for unexpected outbound connections from affected servers, which could indicate a successful command-and-control channel established by an attacker.
• Endpoint Detection and Response (EDR): Monitor for anomalous process execution originating from the web service process, such as the spawning of shells (cmd.exe, /bin/sh) or script interpreters.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy WAF rules to inspect and block malicious SOAP payloads targeting the vulnerable endpoint.
• Network Segmentation: Restrict network access to the vulnerable SOAP interface, allowing connections only from trusted, internal IP addresses.
• Principle of Least Privilege: Ensure the service account running the application has the minimum permissions necessary for its operation to limit the impact of a potential compromise.

Public Exploit Available: false

Given the critical 9.9 CVSS score, organizations must treat this vulnerability with the highest priority. We strongly recommend immediately applying the vendor-provided patches to all affected systems, starting with those that are internet-facing or handle sensitive data. Although this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above should be implemented as a temporary mitigation measure.