A critical vulnerability has been identified in the FACTION PenTesting Report Generation and Collaboration Framework that allows an unauthenticated attacker to remotely execute arbitrary code on the server. This is possible due to a missing authentication check combined with a flaw in the extension framework, enabling an attacker to upload a malicious extension and gain complete control of the host system. Successful exploitation could lead to a total system compromise, data theft, and further intrusion into the network.

This vulnerability is a combination of two distinct flaws. First, a missing authentication check on the /portal/AppStoreDashboard endpoint allows any unauthenticated user to access the extension management user interface. Second, the extension framework itself contains a flaw where it fails to properly sanitize execution paths, permitting code within an extension's lifecycle hook to execute arbitrary system commands. An attacker can exploit this by first accessing the unprotected dashboard and then uploading a specially crafted malicious extension, which, when a lifecycle hook is triggered, will execute commands with the privileges of the FACTION application on the underlying server, resulting in unauthenticated remote code execution (RCE).

This vulnerability is rated as critical with a CVSS score of 9.6, posing a severe and immediate threat to the business. Successful exploitation grants an attacker complete control over the server hosting the FACTION platform. This can lead to the theft, modification, or destruction of highly sensitive penetration testing reports, client data, and internal security findings. Furthermore, a compromised server can be used as a beachhead to pivot into the broader corporate network, launch further attacks, or deploy ransomware. The potential for a data breach carries significant financial, reputational, and regulatory consequences.

Immediate Action: Immediately upgrade all instances of the FACTION framework to version 1.7.1 or later, as this version contains the necessary patches to address both the missing authentication and the code execution flaws. After patching, review web server and application access logs for any evidence of unauthorized access to the /portal/AppStoreDashboard endpoint or suspicious extension uploads prior to the update.

Proactive Monitoring:

• Monitor web server logs for any access attempts to the /portal/AppStoreDashboard endpoint from unknown or untrusted IP addresses.
• Audit the list of installed extensions for any that are unrecognized or were installed around the vulnerability publication date.
• Utilize Endpoint Detection and Response (EDR) or system-level logging to monitor the FACTION server for suspicious child processes, unexpected network connections, or file modifications indicative of a post-exploitation activity.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Use a Web Application Firewall (WAF) or a reverse proxy to explicitly block all external access to the /portal/AppStoreDashboard URL path.
• Restrict network access to the FACTION web interface to only trusted IP addresses and internal networks.
• Run the FACTION service with the least privileged user account possible to limit the potential impact of code execution.

Public Exploit Available: false

Given the critical severity (CVSS 9.6) and the risk of unauthenticated remote code execution, this vulnerability must be addressed with the highest priority. We strongly recommend that all affected FACTION instances be patched to version 1.7.1 or later immediately. This should be treated as an emergency change. While this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for future exploitation. Until patching is complete, organizations must apply compensating controls, such as blocking the vulnerable endpoint at the network edge, to mitigate the immediate risk of compromise.