A high-severity insecure deserialization vulnerability has been identified in multiple TYPO3 products. An attacker with local write access to the mail spool directory can execute arbitrary code, leading to a complete compromise of the web server. This could result in data theft, service disruption, and further network intrusion.

This vulnerability is an insecure deserialization flaw within the TYPO3 mail-file spooling mechanism. An attacker who has already gained local access to the server with permissions to write to the mail spool directory can exploit this flaw. The attack is carried out by crafting a malicious file containing a serialized PHP object and placing it in the spool directory. When the legitimate mailer:spool:send command is executed (typically via a scheduled task), it processes the files in the spool, deserializes the attacker's malicious object, and inadvertently executes the arbitrary PHP code contained within it, all under the privileges of the web server user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation allows an attacker to achieve arbitrary code execution on the web server. This can lead to a complete system compromise, enabling the attacker to steal sensitive data (such as customer information, credentials, and intellectual property), install persistent backdoors, deface the website, or use the compromised server as a pivot point to attack other systems within the network. The potential business impact includes significant data breaches, reputational damage, financial loss, and regulatory penalties.

Immediate Action: Organizations must apply the security updates provided by the vendor across all affected TYPO3 instances without delay. After patching, it is crucial to review server logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should monitor for any unusual or unauthorized file creation and modification events within the mail spool directory. Review logs associated with the execution of the mailer:spool:send command for anomalies. Monitor for suspicious processes being spawned by the web server user account and unexpected outbound network connections from the server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Strictly enforce the principle of least privilege by ensuring that only the necessary user accounts have write permissions to the mail spool directory.
• Implement File Integrity Monitoring (FIM) on the spool directory to generate alerts for any unauthorized changes.
• Regularly audit user permissions on the web server to identify and remove excessive access rights.

Public Exploit Available: false

Given the high severity rating and the potential for complete server compromise, it is strongly recommended that organizations prioritize the immediate application of vendor-supplied patches. Although the attack vector is local, it poses a significant threat from insiders or in scenarios where an attacker has already gained an initial, low-privilege foothold on the system. While this CVE is not currently on the CISA KEV list, its high impact warrants urgent attention to prevent potential future exploitation.