A critical vulnerability has been identified in the Flag Forge CTF platform, assigned a CVSS score of 9.4. This flaw allows an unauthenticated, remote attacker to access administrative functions, potentially leading to a complete compromise of the platform. Successful exploitation could result in data theft, service disruption, and arbitrary code execution on the underlying server.

The vulnerability is an authentication bypass in the access control mechanism for specific administrative API endpoints. The /api/admin/badge-templates (GET) and /api/admin/badge-templates/create (POST) endpoints fail to properly validate that the user making the request is authenticated and possesses administrative privileges. An unauthenticated remote attacker can send crafted HTTP requests directly to these endpoints to view or create badge templates, functions that should be restricted to administrators. This could be leveraged to inject malicious payloads into a template, potentially leading to Server-Side Template Injection (SSTI) and subsequent Remote Code Execution (RCE) on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.4. A successful exploit could have a severe business impact, leading to a full compromise of the CTF platform. An attacker could exfiltrate sensitive data, including user credentials, challenge solutions, and private flags. Furthermore, the attacker could deface the platform, disrupt ongoing events, or use the compromised server as a pivot point to attack other internal network resources. This poses a significant operational, reputational, and financial risk to the organization.

Immediate Action: Immediately apply the vendor's security patch by updating all instances of Flag Forge to version 2.3.2 or later. After patching, review web server and application access logs for any evidence of compromise or exploitation attempts targeting the /api/admin/badge-templates endpoints.

Proactive Monitoring: Review historical and real-time web server logs for any requests to /api/admin/badge-templates or /api/admin/badge-templates/create originating from untrusted or unexpected IP addresses. Monitor for the creation of unusual badge templates, especially those containing suspicious syntax that could indicate an injection attack. Configure network security monitoring tools to alert on traffic patterns consistent with exploitation of this vulnerability.

Compensating Controls: If immediate patching is not feasible, implement the following controls as a temporary measure:

• Use a Web Application Firewall (WAF) or reverse proxy to create rules that block all external access to the /api/admin/ URL path.
• Restrict network access to the administrative interface to only trusted IP address ranges.
• If possible, temporarily disable the badge template functionality until the system can be patched.

Public Exploit Available: false

Given the critical severity (CVSS 9.4) of this vulnerability and its potential to allow for a full system compromise, immediate remediation is required. We strongly recommend that all administrators of affected Flag Forge platforms apply the vendor-supplied patch to upgrade to version 2.3.2 or later without delay. Although this CVE is not yet listed on the CISA KEV catalog, its high impact and likely ease of exploitation make it a prime target for opportunistic and sophisticated threat actors.