A critical vulnerability has been identified in SIGB PMB, a widely used integrated library system. This flaw, tracked as CVE-2025-61168, allows a remote, unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise. Successful exploitation could result in data theft, service disruption, and further unauthorized access into the network.

The vulnerability exists within the cms_rest.php component due to insecure deserialization. An attacker can upload a specially crafted file containing a malicious serialized PHP object. By subsequently triggering the application to process this file through the cms_rest.php endpoint, the unserialize() function is called on the untrusted data, leading to PHP Object Injection and ultimately, remote code execution with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation by an unauthenticated attacker could lead to a full compromise of the affected server. The potential business impact is severe and includes theft of sensitive library data (patron information, records), deployment of ransomware, disruption of library services, and using the compromised server as a pivot point for further attacks against the internal network. Such an incident could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately apply the security patches provided by the vendor. The primary remediation is to update SIGB PMB to the latest version that addresses this vulnerability. After patching, it is crucial to monitor for any signs of post-exploitation activity and thoroughly review web server access logs for any suspicious requests targeting cms_rest.php.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for unusual POST requests to cms_rest.php, especially those involving file uploads or unexpected parameters.
• File Integrity Monitoring: Monitor the web application's file system for the creation of unexpected files (e.g., web shells, scripts) in web-accessible directories.
• Process Monitoring: Look for suspicious processes spawned by the web server user (e.g., www-data, apache), such as shell processes or reverse shell connections.
• Network Traffic: Monitor for unusual outbound connections from the server hosting the SIGB PMB application.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block serialization attacks and malicious requests targeting cms_rest.php.
• Access Control: Restrict network access to the cms_rest.php endpoint, allowing connections only from trusted IP addresses if possible.
• Disable Component: If the cms_rest.php component is not essential for business operations, consider disabling or removing the file until a patch can be applied.

Public Exploit Available: False

Given the critical severity of this vulnerability, immediate action is required. The primary recommendation is to apply the vendor-supplied patch to all affected instances of SIGB PMB without delay. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high-impact nature makes it a prime target for exploitation. If patching cannot be performed immediately, the compensating controls listed above, particularly restricting access via a WAF, should be implemented as an urgent temporary measure.