A critical vulnerability has been discovered in Squid proxy servers that could allow a remote attacker to steal sensitive user and administrative credentials. Successful exploitation of this flaw could lead to unauthorized access to internal systems and a complete compromise of the network, posing a severe risk to the organization's data, integrity, and operations.

The vulnerability exists within the error handling mechanism of the Squid proxy server. When processing certain malformed HTTP requests that require authentication, the server generates an error response or log entry that incorrectly includes the full, unredacted HTTP Authorization header containing user credentials. A remote, unauthenticated attacker can craft a specific request to intentionally trigger this error condition, causing the proxy to leak these sensitive credentials. If administrative credentials are leaked, an attacker could gain complete control over the proxy server, allowing them to intercept, modify, and redirect all network traffic, leading to a full compromise of the network's confidentiality and integrity.

This vulnerability is rated as critical severity with a CVSS score of 10, indicating the highest possible risk. Exploitation could lead to the exposure of highly sensitive credentials for users, applications, and administrators. The consequences include unauthorized access to critical internal systems, data exfiltration, financial loss, and significant reputational damage. An attacker in control of the proxy server can execute man-in-the-middle attacks, deploy malware across the network, and pivot to other internal assets, effectively granting them complete control over a significant portion of the organization's network traffic and infrastructure.

Immediate Action: Update Squid is a caching proxy for the Multiple Products to the latest version. Specifically, all vulnerable instances must be upgraded to Squid version 7.2 or a later release to mitigate this vulnerability. After patching, monitor for exploitation attempts and review access logs for any suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor Squid proxy logs for an unusual volume of error messages or logs containing the Authorization header. Network traffic should be analyzed for patterns of malformed requests designed to trigger error states. Implement alerts for any unexpected outbound connections originating from the proxy server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to detect and block requests designed to exploit this vulnerability.
• Enforce strict access control lists (ACLs) to limit the source IP addresses that can connect to the proxy server.
• Immediately rotate all credentials that are passed through the proxy to any upstream services.
• Ensure Multi-Factor Authentication (MFA) is enforced on all critical services that the proxy authenticates to, limiting the utility of stolen credentials.

Public Exploit Available: false

Due to the critical severity (CVSS 10.0) of this vulnerability, we recommend immediate and decisive action. The potential for a complete network compromise through the leakage of administrative credentials represents an unacceptable risk to the organization. All system owners must prioritize patching vulnerable Squid instances to version 7.2 or later without delay. While this CVE is not yet on the CISA KEV list, its extreme severity makes it a prime candidate for future inclusion and a likely target for opportunistic and sophisticated threat actors.