A critical vulnerability has been identified in the Police Statistics Database System developed by Gotac. This flaw allows any unauthenticated attacker on the internet to upload malicious files, such as a web shell, which can then be used to execute arbitrary code and gain complete control of the server, posing a severe risk to the confidentiality, integrity, and availability of sensitive law enforcement data.

The application contains an Arbitrary File Upload vulnerability. The file upload functionality does not properly validate the type or content of files being uploaded, allowing an unauthenticated remote attacker to bypass security checks. An attacker can exploit this by crafting and uploading a malicious file (e.g., a PHP, ASPX, or JSP web shell) to a web-accessible directory on the server. By subsequently accessing the URL of the uploaded file, the attacker can trigger its execution, achieving remote code execution with the privileges of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would have a devastating business impact, leading to a complete compromise of the affected server. Given that the system is a "Police Statistics Database," an attacker could exfiltrate, modify, or delete highly sensitive and confidential law enforcement data, including case files, informant identities, and personal information of officers. This could severely disrupt police operations, compromise ongoing investigations, lead to significant reputational damage, and result in severe legal and regulatory penalties. The compromised server could also be used as a pivot point to launch further attacks against the internal network.

Immediate Action: Immediately apply the security patch provided by the vendor. Update the Police Statistics Database System to the latest version to remediate this vulnerability. After patching, it is crucial to review web server and application access logs for any signs of suspicious file uploads or access patterns that may indicate a prior compromise.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts.

• Log Analysis: Scrutinize web server logs for POST requests to file upload endpoints that contain suspicious filenames or extensions (e.g., .php, .jsp, .aspx, .sh). Monitor for GET requests to these uploaded files.
• File Integrity Monitoring (FIM): Deploy FIM on web server directories to generate alerts for the creation of new, unexpected executable files.
• Network Traffic Analysis: Monitor for unusual outbound connections from the server, which could indicate a web shell establishing a reverse connection to an attacker's command-and-control server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with strict rules to block the upload of files with executable extensions.
• If possible, restrict network access to the application's upload functionality to trusted IP addresses only.
• Ensure that the directory used for file uploads is configured with no-execute permissions at the file system level.
• Temporarily disable the file upload feature if it is not essential for business operations.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, immediate remediation is imperative. All organizations utilizing the affected Police Statistics Database System must prioritize the application of the vendor-supplied patch. Although this vulnerability is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. Due to the high risk of data breach and system compromise, organizations should proceed with the assumption that they will be targeted and act swiftly to patch, monitor for signs of exploitation, and implement compensating controls where patching is delayed.