CI4MS is vulnerable to a critical Remote Code Execution (RCE) flaw that allows authenticated users to execute arbitrary PHP code and gain full server control.

The vulnerability exists in the file creation and save endpoints of the CMS. An authenticated attacker with "file editor" permissions can bypass restrictions to create or modify PHP files on the server, leading to code execution.

While this requires authentication, the CVSS score of 9.9 indicates that the impact is nearly total. Successful exploitation grants the attacker the ability to execute any command with the privileges of the web server, potentially leading to data exfiltration, installation of persistent backdoors, or lateral movement within the hosting environment.

Immediate Action: Update CI4MS to version 0.28.5.0 or later to implement proper security checks on file management operations.

Proactive Monitoring: Review file system changes in the web root for new or modified .php files and audit the activities of users with file editor privileges.

Compensating Controls: Implement strict Role-Based Access Control (RBAC) and disable the file editor functionality in production environments if it is not strictly necessary.

Public Exploit Available: false

The primary recommendation is to apply the security patch immediately. Additionally, organizations should adopt the principle of least privilege, ensuring only highly trusted administrators have file-editing capabilities, and consider using file integrity monitoring (FIM) tools.