A critical vulnerability has been identified in multiple Primakon products, specifically affecting the Pi Portal 1 component. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise. Successful exploitation could result in significant data theft, service disruption, and unauthorized access to the corporate network.

A critical command injection vulnerability exists within the Primakon Pi Portal 1 component due to insufficient input sanitization in an unauthenticated API endpoint. A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request containing malicious commands. These commands are then executed on the underlying server with the privileges of the web application service, leading to remote code execution (RCE) and a potential full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation of this flaw could have severe consequences for the business, including the breach of confidential corporate or customer data, manipulation of critical information, and complete disruption of services hosted on the affected server. A compromised system could also be used as a pivot point for attackers to move laterally within the network, escalating the incident and expanding their access to other sensitive internal resources. The potential for data loss, reputational damage, and financial costs associated with remediation is significant.

Immediate Action: Apply the security updates released by Primakon to all affected systems immediately, prioritizing internet-facing instances. After patching, review web server and application access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Enhance monitoring of affected systems by looking for indicators of compromise. In web server logs, search for unusual or malformed requests to API endpoints associated with the Pi Portal. On the host, monitor for unexpected processes being spawned by the web server's user account (e.g., www-data or IIS AppPool) and for suspicious outbound network connections to unknown IP addresses.

Compensating Controls: If patching cannot be immediately deployed, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block command injection patterns in requests to the vulnerable endpoint.
• Restrict network access to the affected portal, limiting exposure from the internet if possible.
• Enhance network egress filtering to block the server from making outbound connections to unauthorized destinations, which can prevent C2 communication.

Public Exploit Available: true

Given the high severity (CVSS 8.8) of this vulnerability and the public availability of exploit code, organizations must treat this as a critical priority. The primary recommendation is to apply the vendor-supplied patches to all affected systems without delay. Although this vulnerability is not currently on the CISA KEV list, its characteristics make it a strong candidate for future inclusion. If immediate patching is not feasible, the compensating controls outlined above should be implemented as a temporary measure while actively monitoring for any signs of exploitation.