A high-severity vulnerability has been identified in multiple ApusTheme ITok products, allowing unauthenticated attackers to execute arbitrary code remotely. Successful exploitation could lead to a complete compromise of the affected server, enabling data theft, service disruption, and further attacks on the internal network. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this critical risk.

The vulnerability is a Remote File Inclusion (RFI) flaw within the PHP code of the affected products. An attacker can exploit this by crafting a special URL or request that tricks the application into including and executing a malicious PHP file hosted on an external, attacker-controlled server. This occurs because the application fails to properly sanitize user-supplied input that is used as a filename in a PHP include() or require() statement, allowing a remote URL to be passed instead of a local file path.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit grants an attacker Remote Code Execution (RCE) capabilities on the web server. This could lead to a complete system compromise, resulting in significant business impact, including the theft of sensitive corporate or customer data, deployment of ransomware, defacement of the website, or the use of the compromised server as a pivot point to attack other internal systems. The potential for reputational damage and financial loss is substantial.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by ApusTheme ITok immediately across all affected products. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes scrutinizing web server logs for unusual GET or POST requests containing external URLs (e.g., http://, https://, ftp://) in parameters. Monitor for unexpected outbound network connections from the web server to unknown IP addresses and look for any unauthorized file modifications or suspicious processes running on the server.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block RFI attack patterns.
• Modify the server's PHP configuration file (php.ini) to disable remote file inclusion by setting allow_url_include to Off. Note: Test this change in a staging environment first to ensure it does not break application functionality.
• Implement egress filtering on the network firewall to block outbound connections from the web server on all but essential ports.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for complete system compromise via remote code execution, this vulnerability poses a critical risk to the organization. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime target for future exploitation. We strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. If patching cannot be performed immediately, the compensating controls listed above must be implemented as a matter of urgency to protect against potential attacks.