A critical vulnerability has been identified in the Erugo self-hosted file-sharing platform, allowing a low-privileged authenticated user to gain full control of the server. An attacker can exploit this flaw by uploading a malicious file to a web-accessible location, leading to remote code execution. This complete system compromise poses a severe risk of data theft, service disruption, and further network intrusion.

The vulnerability exists due to insufficient path validation in the file-sharing creation feature. An authenticated attacker with low-level privileges can specify a crafted file path, such as one using path traversal sequences (../), when creating a new share. This allows them to bypass directory restrictions and designate a share location anywhere on the filesystem where the application has write permissions, including the public web root directory. By subsequently uploading a web shell or other executable script to this share, the attacker can place malicious code in a publicly accessible location and execute it by simply visiting the corresponding URL, resulting in full remote code execution on the server.

This vulnerability is rated as critical severity with a CVSS score of 10. Successful exploitation results in a complete compromise of the server hosting the Erugo platform. This could lead to the theft or destruction of all stored data, installation of ransomware, or the use of the compromised server to launch further attacks against the internal network. The potential business impact includes significant data breach costs, regulatory fines, operational downtime, and severe reputational damage. Since the only prerequisite for an attacker is a low-privileged account, the risk of exploitation is high in any environment where user registration is open or multiple users have access.

Immediate Action: Immediately upgrade all instances of Erugo to version 0.2.15 or later, which contains the fix for this vulnerability. After patching, review server access logs and application logs for any signs of suspicious activity, such as unusual file creation requests or access to unexpected files in the web root.

Proactive Monitoring: Implement enhanced monitoring of the Erugo application and underlying server. Specifically, monitor application logs for share creation events containing path traversal sequences (../). Use file integrity monitoring (FIM) to alert on any new files, especially those with executable extensions (.php, .sh, .jsp, etc.), being written to the web root directory outside of normal deployment processes.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with rules to detect and block path traversal attacks.
• Strictly enforce file system permissions to prevent the web server's user account from writing to the web root or other sensitive directories.
• If business functionality allows, temporarily disable file upload capabilities for all non-administrative users.
• Audit all existing user accounts and remove any that are unnecessary or have excessive privileges.

Public Exploit Available: false

Due to the critical severity (CVSS 10.0) and the potential for a low-privileged user to achieve complete system compromise, this vulnerability requires immediate attention. All organizations using affected versions of Erugo must prioritize applying the update to version 0.2.15 or later. The low barrier to exploitation makes this an attractive target for attackers, and organizations should assume it will be actively targeted in the near future.