A critical vulnerability, identified as CVE-2025-62959 with a CVSS score of 9.1, has been discovered in the videowhisper Paid Videochat Turnkey Site software. This flaw allows a remote, unauthenticated attacker to inject and execute arbitrary code on the server, potentially leading to a complete system compromise, data theft, and service disruption. Organizations using the affected software are urged to apply the vendor's patch immediately to mitigate this severe risk.

The vulnerability is an Improper Control of Generation of Code (CWE-94), specifically a Remote Code Inclusion flaw. The application fails to properly sanitize user-supplied input that is used to include code or files for execution. An unauthenticated remote attacker can exploit this by crafting a request that tricks the application into including and executing a malicious script hosted on an attacker-controlled external server. Successful exploitation results in arbitrary code execution with the permissions of the web server process, granting the attacker a foothold on the system.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant threat to the business. Successful exploitation could lead to a complete compromise of the affected server and its data. The specific risks include a severe data breach involving sensitive customer information and private video content, significant service downtime causing financial and reputational damage, and the potential for the compromised server to be used as a launchpad for further attacks against the internal network. The financial impact from incident response, regulatory fines, and loss of customer trust could be substantial.

Immediate Action:

• Immediately update the affected videowhisper Paid Videochat Turnkey Site software to the latest patched version as recommended by the vendor.
• Prioritize patching for all internet-facing systems to eliminate the primary attack vector.
• After patching, review web server and application access logs for any evidence of compromise or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for requests containing URLs or file paths to external domains within parameters, which could indicate a Remote Code Inclusion attempt. Monitor application logs for errors related to file handling or code execution.
• Network Monitoring: Monitor for and alert on any unusual outbound network connections from the web server to unknown or untrusted IP addresses. This could be a sign that the server is attempting to download a malicious payload.
• Host-Based Monitoring: Utilize File Integrity Monitoring (FIM) to detect the creation of unauthorized files (e.g., web shells) in the web directory. Monitor for suspicious processes spawned by the web server user account.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, implement or enhance WAF rules to block requests matching common Remote Code Inclusion and code injection patterns.
• Egress Filtering: Enforce strict firewall rules to block all outbound traffic from the server except for what is explicitly required for business operations. This can prevent the server from connecting to an attacker's command-and-control infrastructure.
• Principle of Least Privilege: Ensure the web server process is running with the minimum necessary permissions to limit an attacker's ability to cause further damage post-exploitation.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and requires immediate remediation. It is strongly recommended to apply the vendor-supplied patches to all affected videowhisper instances without delay. While this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact score makes it a prime candidate for future inclusion should it be exploited in the wild. Organizations must prioritize patching and implement the recommended monitoring and compensating controls to prevent a full system compromise.