A critical vulnerability has been discovered in the Police Statistics Database System developed by Gotac. This flaw, resulting from missing authentication, allows any remote, unauthenticated attacker to access, modify, and delete sensitive law enforcement data, posing a severe risk to data integrity, confidentiality, and public safety. Immediate patching is required to prevent potential exploitation and compromise of critical information.

The vulnerability is a Missing Authentication for a Critical Function (CWE-306). A specific functionality within the software suite fails to perform any authentication or authorization checks, allowing direct interaction with the underlying database. A remote attacker can exploit this by sending crafted requests to the exposed endpoint, granting them the equivalent of administrator-level database privileges to read, create, modify, and delete any records without requiring valid credentials.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have catastrophic consequences for any law enforcement agency using the affected software. The direct, unauthorized access to sensitive police statistics could lead to a massive data breach, manipulation of evidence or criminal records, and disruption of law enforcement operations. The loss of data integrity could undermine active investigations, compromise legal cases, and erode public trust. The organization could also face significant regulatory fines, legal liability, and severe reputational damage.

Immediate Action: Immediately apply the security updates provided by the vendor, Gotac, to all affected systems to the latest version. After patching, it is crucial to review database and application access logs for any signs of compromise that may have occurred before the patch was applied, looking for unauthorized activity.

Proactive Monitoring: Implement enhanced monitoring of the affected application servers and databases. Security teams should look for unusual network traffic patterns or direct queries to the database from untrusted sources. Scrutinize application logs for anomalous requests to the specific functionality mentioned in the advisory and set up alerts for high-volume data access or modification commands (e.g., SELECT *, UPDATE, DELETE) originating from unexpected IP addresses.

Compensating Controls: If patching cannot be performed immediately, restrict network access to the affected application to a limited set of trusted IP addresses at the firewall level. If possible, deploy a Web Application Firewall (WAF) with specific rules to block any requests attempting to access the vulnerable functionality. Consider taking the system offline temporarily if the risk of compromise is deemed too high.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability and the highly sensitive nature of the data within the Police Statistics Database System, this issue must be treated as the highest priority. We strongly recommend that all affected organizations apply the vendor-provided patches immediately without delay. Although this vulnerability is not currently listed in the CISA KEV catalog, its potential for severe impact on law enforcement operations and public trust warrants an emergency response.