A critical vulnerability has been identified in multiple MeetingHub products developed by HAMASTAR Technology. This flaw allows a remote attacker, without needing any credentials, to upload malicious files to the server, which can then be used to execute code and gain complete control. Successful exploitation could lead to a full system compromise, resulting in data theft, service disruption, and further unauthorized access into the network.

The vulnerability is an Arbitrary File Upload. The affected software fails to properly validate files uploaded by users, allowing an unauthenticated, remote attacker to upload a malicious file, such as a web shell (e.g., a PHP or ASP script). After a successful upload, the attacker can access the file via a URL, causing the server to execute the code within the file. This provides the attacker with the ability to run arbitrary commands on the server with the privileges of the web service account, leading to a full compromise of the host.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation by an attacker could have a severe impact on the business, leading to a complete compromise of the affected server. Potential consequences include the exfiltration of sensitive corporate data, intellectual property, or personal information stored on the server; disruption of business operations due to service unavailability; and significant reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network or be leveraged in botnet or ransomware campaigns.

Immediate Action: Immediately apply the security patches provided by HAMASTAR Technology to update all affected MeetingHub products to the latest secure version. Before and after patching, thoroughly review server access logs, web server logs, and system logs for any signs of suspicious file uploads or anomalous activity that may indicate a prior compromise.

Proactive Monitoring: Implement continuous monitoring of the affected systems. Look for POST requests to file upload endpoints that result in the creation of executable file types (e.g., .php, .jsp, .aspx, .sh) in web-accessible directories. Monitor for unexpected outbound network connections from the MeetingHub server, which could indicate a web shell communicating with a command-and-control server. Utilize File Integrity Monitoring (FIM) to detect the creation of unauthorized files on the system.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious file uploads based on file type, name, and content.
• Restrict network access to the MeetingHub application, allowing connections only from trusted IP addresses and blocking all external access if possible.
• If the functionality is not essential, temporarily disable file uploads within the application.

Public Exploit Available: false

Given the critical severity of CVE-2026-1331, which allows for unauthenticated remote code execution, immediate remediation is imperative. We strongly recommend that organizations using affected MeetingHub products prioritize the deployment of vendor-supplied security updates across all vulnerable systems without delay. Although this vulnerability is not currently on the CISA KEV list, its high impact and ease of exploitation make it a prime candidate for future inclusion. After patching, a forensic review should be conducted to search for any indicators of compromise that may have occurred prior to remediation.