A critical vulnerability has been discovered in multiple Errands products that could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, or further intrusion into the network. Organizations are urged to apply the vendor-provided security patches immediately to mitigate this high-severity risk.

The vulnerability is an unauthenticated remote code execution (RCE) flaw within a core service component of multiple Errands products. The issue stems from the improper validation of user-supplied input when processing API requests. An attacker can craft a malicious request containing specially formatted data that, when processed by the application, triggers a buffer overflow, allowing for the execution of arbitrary code with the privileges of the application's service account. This attack can be performed remotely over the network without requiring any prior authentication or user interaction.

This vulnerability is rated as High severity with a CVSS score of 8.2. A successful exploit would have a significant negative impact on the business, granting an attacker complete control over the affected systems. This could lead to the exfiltration of sensitive corporate or customer data, disruption of critical business services, reputational damage, and financial loss. Furthermore, a compromised system could be used as an entry point to launch further attacks against the internal network, escalating the security incident.

Immediate Action: Organizations must prioritize the immediate application of security updates provided by Errands to patch all affected products to version 46 or later. System administrators should follow the vendor's patching guidelines, verify the successful installation of the update, and restart services as required.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes reviewing web server and application access logs for unusual or malformed requests targeting the affected services. Monitor network traffic for anomalous outbound connections from servers running Errands products, which could indicate a successful compromise and command-and-control (C2) communication.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict network access to the vulnerable services to only trusted IP addresses using a web application firewall (WAF) or network firewall rules. If possible, enable any available security features within the product that may limit exposure of the vulnerable component.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization due to its high severity (CVSS 8.2) and the potential for unauthenticated remote code execution. Although this CVE is not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it a prime target for future exploitation. We strongly recommend that all system owners identify affected Errands products within their environment and apply the vendor-supplied security update to version 46 or newer with the highest priority to prevent potential system compromise.