FOSSBilling contains a critical authentication bypass vulnerability that permits unauthenticated attackers to execute administrative API methods, risking full system compromise.

An authorization flaw in the API role handling logic fails to enforce proper credentials for /api/system/* endpoints. This allows an unauthenticated user to assume the identity of the cron administrator and execute sensitive system-level commands.

With a CVSS score of 10.0, this vulnerability allows for total unauthorized control over the billing and client management system. Attackers could exfiltrate sensitive client data, modify billing records, or gain persistent access to the server, leading to severe reputational and financial damage.

Immediate Action: Upgrade to FOSSBilling version 0.8.0 or later immediately to resolve the authentication bypass.

Proactive Monitoring: Review API access logs for any requests directed at /api/system/* originating from untrusted sources and treat such activity as a potential security incident.

Compensating Controls: Block external access to /api/system/* endpoints at the reverse proxy or WAF level and restrict API access to known, trusted source IP addresses.

Public Exploit Available: No

Immediate remediation is required to secure the FOSSBilling environment. Beyond updating the software, administrators should rotate all API tokens and invalidate existing sessions to ensure that any potential unauthorized access that occurred prior to patching is terminated.