SimStudio versions below 0.5.74 contain unauthenticated MongoDB tool endpoints that can be leveraged by attackers to read, modify, or delete data on reachable MongoDB instances.

The MongoDB tool endpoints in SimStudio fail to implement authentication or host restrictions. An unauthenticated attacker can provide arbitrary connection parameters to these endpoints, using the server as a proxy to interact with any reachable MongoDB database.

This flaw facilitates unauthorized data access and manipulation, potentially leading to the destruction of critical databases or the theft of sensitive information. The CVSS score of 9.8 indicates a critical risk, as it effectively turns the SimStudio application into a tool for database exploitation.

Immediate Action: Upgrade SimStudio to version 0.5.74 or later. Ensure that all database tool endpoints are properly secured behind authentication.

Proactive Monitoring: Inspect network traffic for unusual connections to MongoDB ports (typically 27017) originating from the SimStudio application server.

Compensating Controls: Use firewall rules to restrict the SimStudio server's ability to initiate outbound connections to database ports except for authorized internal targets.

Public Exploit Available: No

The exposure of database management tools without authentication is a high-risk configuration. Organizations must update SimStudio immediately and audit their network architecture to ensure that database services are not unnecessarily exposed to the application layer.