An unauthenticated administrative account creation vulnerability in FOSSBilling enables attackers to gain full system control, posing a critical risk to organizational data and operations.

This vulnerability occurs due to an improper type check in the /api/guest/staff/create endpoint, which fails to correctly verify if an administrator account already exists. This allows an unauthenticated attacker to inject a new, fully privileged administrative user into the system.

Successful exploitation results in total compromise of the billing and client management system. Given the CVSS score of 9.3, this flaw presents an unacceptable risk of unauthorized data exfiltration, service manipulation, and complete loss of system integrity.

Immediate Action: Upgrade FOSSBilling to version 0.8.0 or later immediately to resolve the logic error in the guest API endpoint.

Proactive Monitoring: Review system logs for unauthorized account creation events and monitor the administrative user list for accounts not provisioned by authorized staff.

Compensating Controls: Restrict access to the API directory at the web server or WAF level to prevent public access to the /api/guest/ path until the patch is applied.

Public Exploit Available: Unknown

The severity of this vulnerability cannot be overstated, as it provides a direct path to full administrative access. Organizations utilizing FOSSBilling must prioritize this update as a critical maintenance task to prevent unauthorized system takeover.