A high-severity vulnerability has been discovered in multiple Majestic Support products, allowing for Local File Inclusion. An unauthenticated attacker could exploit this flaw to read sensitive files on the server, potentially exposing confidential data, system credentials, and application source code. This could lead to further system compromise, data breaches, and service disruption.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement in a PHP Program, which allows for Local File Inclusion (LFI). An attacker can manipulate an input parameter, likely in a URL, to trick the application into including and processing a file from an arbitrary location on the server's local file system. For example, an attacker could craft a request to read sensitive files such as /etc/passwd, application configuration files containing database credentials, or private keys. In some scenarios, this LFI vulnerability could be escalated to achieve remote code execution (RCE) if the attacker can write to a file on the server (e.g., a log file) and then trick the application into including and executing it as PHP code.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have a significant negative impact on the business. The primary risks include the breach of confidential data (customer information, intellectual property, credentials), which can lead to regulatory fines, reputational damage, and loss of customer trust. If an attacker escalates the vulnerability to achieve remote code execution, they could gain full control of the affected server, leading to complete system compromise, installation of ransomware or other malware, and prolonged operational downtime.

Immediate Action: Apply vendor-supplied security updates immediately to patch the vulnerability. Concurrently, initiate monitoring for any signs of exploitation and conduct a thorough review of web server and application access logs for suspicious activity patterns indicative of LFI attacks.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for HTTP requests containing directory traversal sequences (../, ..\/) or absolute file paths (/etc/passwd) in URL parameters. Look for requests using PHP wrappers like php://filter/convert.base64-encode/resource=.
• Network Traffic: Monitor for unusual outbound connections from the web server, which could indicate a successful compromise or data exfiltration.
• File Integrity Monitoring (FIM): Use FIM solutions to detect unauthorized changes to application code, configuration files, or the creation of suspicious files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset designed to detect and block LFI and directory traversal attack patterns.
• PHP Hardening: In the php.ini configuration, disable allow_url_fopen and allow_url_include to prevent the vulnerability from being escalated to Remote File Inclusion (RFI).
• Principle of Least Privilege: Ensure the web server process runs with the minimum necessary permissions and cannot read sensitive files outside of the web root directory.

Public Exploit Available: false

This vulnerability presents a high risk to the organization due to the potential for sensitive data exposure and full system compromise. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high CVSS score and the trivial nature of exploitation warrant immediate action. We strongly recommend that system administrators prioritize identifying all vulnerable Majestic Support products within the environment and applying the vendor-provided security patches without delay. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a temporary mitigation while a permanent patching plan is executed.