A critical remote code execution vulnerability has been identified in the Allsky WebUI software. This flaw allows an unauthenticated attacker on the network to take complete control of the underlying system by sending a specially crafted web request, posing a severe risk of data theft, system compromise, and further network intrusion.

The vulnerability is a path traversal flaw within the /html/execute.php endpoint. An unauthenticated remote attacker can manipulate the id parameter in an HTTP request to include path traversal sequences (e.g., ../). This allows the attacker to break out of the intended directory and execute arbitrary commands on the server with the privileges of the web server's user account, resulting in full remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation would grant an attacker complete control over the affected server, leading to a total loss of confidentiality, integrity, and availability. Potential consequences include theft of sensitive data, deployment of ransomware, destruction of system data, and the use of the compromised system as a pivot point to attack other internal network resources.

Immediate Action: Immediately update the Allsky WebUI to the latest version provided by the vendor, which addresses this vulnerability. After patching, it is crucial to review access logs for any signs of prior exploitation attempts.

Proactive Monitoring: Security teams should monitor web server access logs for HTTP requests to the /html/execute.php endpoint. Specifically, look for requests where the id parameter contains path traversal characters such as ../, ..%2f, or other URL-encoded variants. Monitor for unusual processes being spawned by the web server user (e.g., www-data, apache) and unexpected outbound network connections from the server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules to block requests containing path traversal patterns targeting the execute.php endpoint. Restrict network access to the Allsky WebUI to only trusted IP addresses and consider disabling the service if it is not business-critical.

Public Exploit Available: false

Given the critical CVSS score of 10 and the fact that this vulnerability can be exploited by an unauthenticated attacker with low complexity, immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch to all affected systems. Although there is no evidence of active exploitation at this time, vulnerabilities of this severity are prime targets for threat actors, and a public exploit is likely to be developed quickly.