A critical vulnerability exists in multiple QaTraq products where a default administrative account with hard-coded credentials is enabled upon installation. This allows any unauthenticated attacker with network access to the application's login page to gain full administrative control, posing a severe risk of complete system compromise, data theft, and operational disruption.

The vulnerability, classified as CWE-798: Use of Hard-coded Credentials, stems from the software shipping with a non-unique, default administrative account that is active in the default configuration. An attacker does not require any special tools or exploits; they only need network access to the web application's login interface. By using the publicly known default credentials, the attacker can log in and immediately gain the highest level of administrative privileges available within the application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation grants an attacker complete administrative control over the affected QaTraq application. This could lead to severe business consequences, including unauthorized access to and exfiltration of sensitive data, manipulation or deletion of critical records, and disruption of business processes reliant on the application. The compromised system could also be used as a pivot point to launch further attacks against the internal network, significantly expanding the scope of the breach.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor. Organizations must update affected QaTraq Multiple Products to the latest version immediately. Refer to the official vendor security advisory for specific patch information and installation instructions.

Proactive Monitoring: Security teams should actively monitor for signs of compromise. This includes reviewing web application and server access logs for successful logins using the default administrative account, especially from unusual or external IP addresses. Monitor for any unexpected administrative actions, such as the creation of new user accounts, configuration changes, or data exports.

Compensating Controls: If patching cannot be performed immediately, implement the following compensating controls to reduce risk:

• If possible within the application, immediately change the password for the default administrative account or disable the account entirely.
• Restrict network access to the QaTraq web application login page using a firewall, web application firewall (WAF), or network access control lists (ACLs), allowing connections only from trusted IP addresses.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the trivial nature of exploitation, this vulnerability represents an immediate and significant threat to the organization. We strongly recommend that all affected QaTraq instances be patched immediately without delay. If patching is not possible, the compensating controls outlined above must be implemented as a top priority. Due to the high likelihood of active exploitation, organizations should assume they are being targeted and proactively hunt for evidence of compromise.