A critical vulnerability has been identified in multiple products utilizing the dcat-admin component, which could allow a remote, unauthenticated attacker to execute arbitrary code on an affected server. Successful exploitation could lead to a complete system compromise, resulting in significant data theft, operational disruption, and unauthorized access to the underlying infrastructure.

The vulnerability is a file inclusion flaw located in the admin/src/Extend/VersionManager.php component. An attacker can send a specially crafted request to the application, manipulating an input parameter to force the server to include and execute a malicious file. This can be exploited as either a Local File Inclusion (LFI), to execute code already present on the server, or a Remote File Inclusion (RFI), to include and execute code from an attacker-controlled external server, leading to full Remote Code Execution (RCE). This type of attack typically does not require any prior authentication.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a direct and severe threat to the business. A successful exploit grants an attacker complete control over the affected application and its underlying server. This could lead to the theft or destruction of sensitive corporate or customer data, significant financial losses from fraud or system recovery costs, and severe reputational damage. The compromised system could also be used as a foothold to launch further attacks against the organization's internal network, escalating the scope of the breach.

Immediate Action: Update all instances of Unknown Multiple Products to the latest version provided by the vendor to patch this vulnerability. After patching, it is critical to monitor for any signs of exploitation and to thoroughly review historical access logs for any indicators of compromise preceding the update.

Proactive Monitoring: Security teams should implement monitoring rules to detect and alert on suspicious requests targeting the admin/src/Extend/VersionManager.php file. Look for directory traversal sequences (../), absolute file paths, and external URLs (http://, https://) within request parameters in web server and WAF logs. Additionally, monitor for anomalous outbound network traffic from web servers, which could indicate a successful RFI payload or a reverse shell connection.

Compensating Controls: If patching cannot be immediately deployed, implement a Web Application Firewall (WAF) with rules to block common file inclusion attack patterns. On the server, harden the PHP configuration by disabling allow_url_fopen and allow_url_include to mitigate the risk of Remote File Inclusion. Ensure the web server process runs with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: False

Due to the critical 9.8 CVSS score, this vulnerability requires immediate attention and remediation. All organizations using the affected products must prioritize the deployment of vendor-supplied patches. While this CVE is not yet on the CISA KEV list, its severity makes it a highly attractive target for attackers and it should be treated with the same urgency as a known exploited vulnerability. If patching is delayed, the compensating controls listed above must be implemented as a temporary measure to reduce risk, but they should not be considered a substitute for patching.