A high-severity vulnerability has been identified in multiple HAX CMS products, which could allow a remote attacker to compromise the underlying server. Successful exploitation could lead to a complete system takeover, resulting in data theft, service disruption, and significant reputational damage. Organizations are urged to apply the vendor-provided security patches immediately to mitigate this critical risk.

The vulnerability exists within the content management system's file handling or API processing logic, affecting both PHP and NodeJS backends. A remote, potentially unauthenticated, attacker could craft a malicious request to an exposed endpoint. This could allow for arbitrary code execution on the server, providing the attacker with the same level of permissions as the web service account, leading to a full compromise of the web application and its host server.

This vulnerability is rated as High severity with a CVSS score of 8.0, reflecting a significant risk to the organization. Exploitation could result in a complete loss of confidentiality, integrity, and availability for the affected web applications. Potential consequences include the theft of sensitive customer or corporate data, website defacement, distribution of malware from the compromised server, and disruption of business operations dependent on the affected microsites. The financial and reputational costs associated with such a breach could be substantial.

Immediate Action: Apply vendor security updates immediately across all instances of affected HAX CMS products. After patching, review server access logs and application logs for any signs of compromise, such as unusual file uploads, unexpected outbound network connections, or unauthorized administrative activity.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious POST requests to unexpected endpoints, particularly those involving file uploads. Network traffic should be monitored for anomalous outbound connections from the web server. Implement file integrity monitoring on the web application directories to detect unauthorized changes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block common remote code execution patterns. Restrict administrative access to the HAX CMS to trusted IP addresses only. Enforce strict file upload policies to ensure only non-executable file types are permitted.

Public Exploit Available: false

Given the high CVSS score of 8.0, this vulnerability presents a critical risk that must be addressed with urgency. Although CVE-2026-22704 is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity makes it a prime target for future exploitation. We strongly recommend that all organizations using affected HAX products prioritize the deployment of vendor-supplied patches within the next 72 hours. In parallel, implement the proactive monitoring and compensating controls outlined above to reduce the attack surface and enhance detection capabilities.