A critical vulnerability, identified as CVE-2025-60803, has been discovered in multiple Antabot products. This flaw allows an unauthenticated remote attacker to execute arbitrary code on an affected system, potentially leading to a complete system compromise, data theft, and service disruption. Due to its critical severity and ease of exploitation, immediate remediation is strongly advised.

This is an unauthenticated Remote Code Execution (RCE) vulnerability. It exists due to a path confusion flaw in a specific API endpoint. An attacker can send a specially crafted HTTP request to the /api/aaa;/../register component. The use of a semicolon (;) followed by a path traversal sequence (/../) can confuse the server's path parsing logic, causing it to bypass authentication and authorization checks intended for the /api/aaa path and improperly process the /register endpoint, leading to code execution with the privileges of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation by an unauthenticated attacker could result in a complete compromise of the affected server. The potential consequences include theft of sensitive corporate or customer data, deployment of ransomware, disruption of business-critical services hosted on the server, and using the compromised system as a pivot point to launch further attacks against the internal network. A public breach resulting from this vulnerability could lead to significant financial loss, regulatory fines, and severe reputational damage.

Immediate Action:

• Patch: Immediately apply the security updates provided by the vendor. Update Antabot Multiple Products to the latest version to remediate this vulnerability.
• Monitor and Review: After patching, actively monitor for any signs of exploitation. Review historical web server and application access logs for any requests targeting the /api/aaa;/../register endpoint or containing similar path traversal patterns.

Proactive Monitoring:

• Log Analysis: Scrutinize HTTP access logs for requests containing the string ;/../ or other path traversal sequences (../, ..%2f, etc.), particularly those targeting API endpoints.
• Network Traffic: Monitor for anomalous outbound network connections from affected servers, which could indicate command-and-control (C2) communication from a successful exploit.
• Endpoint Detection: Use endpoint security solutions to detect suspicious processes spawned by the web server, unexpected file modifications, or the creation of web shells.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF rule to block any incoming requests containing the malicious pattern ;/../ in the URL.
• Network Segmentation: Isolate the vulnerable servers from the internet and critical internal networks to limit the potential blast radius of a compromise.
• Access Control Lists (ACLs): Restrict access to the vulnerable application to only trusted IP addresses at the network firewall level.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the potential for a complete system compromise without authentication, immediate action is required. All organizations using the affected Antabot products must prioritize applying the vendor-supplied patches immediately. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. If patching is delayed, compensating controls such as WAF rules and network segmentation must be implemented as an urgent temporary measure to mitigate the significant risk.