A critical vulnerability has been identified in OPEXUS FOIAXpress that allows a remote attacker, without any credentials, to reset the administrator password. Successful exploitation would grant an attacker complete control over the application, enabling them to access, modify, or delete sensitive data, leading to a full system compromise. This vulnerability represents a severe security risk that requires immediate attention.

This vulnerability allows a remote, unauthenticated attacker to take over the administrator account. The flaw likely exists within the password reset functionality of the application. An attacker can exploit this by initiating a password reset request for the administrator account and manipulating the process to set a new password of their choosing, bypassing standard authentication and validation checks. This type of attack does not require any prior access or knowledge of the system, making it easy to exploit on any internet-facing instance.

This vulnerability is rated critical severity with a CVSS score of 9.8. Exploitation would grant an attacker full administrative privileges, leading to severe business consequences. These include, but are not limited to, the unauthorized access and exfiltration of sensitive information processed by the FOIAXpress system, potential manipulation or deletion of official records causing significant data integrity issues, and reputational damage. A full system compromise could also allow the attacker to use the server as a foothold to launch further attacks against the internal network.

Immediate Action: Immediately upgrade all instances of OPEXUS FOIAXpress to the patched version 11.13.2.0 or later, as recommended by the vendor. Systems exposed to the public internet should be prioritized for patching. After patching, it is crucial to review all administrative accounts for any unauthorized changes or suspicious activity.

Proactive Monitoring: Implement enhanced monitoring of the affected application. Security teams should actively review access logs for unusual password reset attempts, especially for administrative accounts, originating from unexpected IP addresses. Monitor network traffic for anomalous patterns directed at the application's login and account recovery pages. Set up alerts for any successful administrator login from a new or unrecognized source.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict access to the application's management interface to a trusted internal network or specific whitelisted IP addresses.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to block or alert on suspicious requests targeting the password reset functionality.
• Temporarily disable the external-facing password reset feature if business operations permit.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete system takeover, we recommend that organizations treat this vulnerability with the highest priority. All affected OPEXUS FOIAXpress instances must be patched immediately to version 11.13.2.0 or a later release. Although this vulnerability is not yet on the CISA KEV catalog, its characteristics make it a likely candidate for future inclusion. Organizations should assume that any unpatched, internet-facing system is a potential target and should review system logs for signs of compromise preceding the patch application.