A critical vulnerability has been identified in EasyImages 2.0, which allows an attacker with administrator access to execute arbitrary code and achieve a full compromise of the server. This is accomplished by injecting a malicious payload into a filename using the file rename function, posing a significant risk of data theft, service disruption, and further unauthorized access into the network.

The vulnerability exists within the /admin/filer.php component, which handles file management operations. The file renaming function fails to properly sanitize the input for a new filename. An authenticated attacker with Administrator privileges can upload a file and then use the rename feature to change its name to include an executable extension (e.g., .php) and embed malicious server-side code. When the server processes this crafted filename, it can be tricked into creating a web shell, which the attacker can then access to execute arbitrary commands with the permissions of the web server user.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation leads to Remote Code Execution (RCE), giving an attacker complete control over the affected web server. This could result in the theft of sensitive data, deployment of ransomware, disruption of business operations, and reputational damage. The compromised server could also be used as a staging point to launch further attacks against other systems within the organization's internal network.

Immediate Action: Update the EasyImages 2.0 application to the latest version provided by the vendor to patch the vulnerability. After patching, review web server access logs for any signs of prior exploitation attempts targeting the /admin/filer.php endpoint.

Proactive Monitoring: Monitor web server logs for unusual POST requests to /admin/filer.php, particularly those involving filenames with multiple extensions, special characters, or executable extensions (e.g., .php, .phtml, .phar). Monitor for unexpected outbound network connections or processes spawned by the web server user account, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Restrict access to the /admin/ directory by enforcing IP address whitelisting.
• Implement a Web Application Firewall (WAF) with rules to block requests containing malicious filename patterns.
• Disable file upload and rename functionality if it is not critical to business operations.
• Enforce multi-factor authentication (MFA) for all administrator accounts to mitigate the risk of credential compromise.

Public Exploit Available: false

Due to the critical severity (CVSS 9.1) and the potential for complete system compromise, organizations must treat this vulnerability with high urgency. It is strongly recommended to apply the vendor-supplied patch to all affected instances of EasyImages 2.0 immediately. If patching is delayed, implement the suggested compensating controls, especially restricting access to the administration panel and enforcing MFA. While this vulnerability is not currently on the CISA KEV list, its high impact warrants immediate and decisive remediation action.