DrangSoft GCB/FCB Audit Software is susceptible to a critical authentication bypass that allows unauthenticated attackers to grant themselves full administrative access.

The software fails to enforce authentication on specific API endpoints used for account management. This allows an unauthenticated remote attacker to directly call these APIs and create a new account with administrative privileges.

The impact of this vulnerability is Critical (CVSS 9.8). An attacker with administrative access can modify audit records, delete sensitive data, and manipulate financial or compliance reports. This completely undermines the integrity of the audit software and could lead to severe legal and regulatory consequences.

Immediate Action: Update the DrangSoft GCB/FCB Audit Software to the latest version to enforce proper authentication checks on all API endpoints.

Proactive Monitoring: Review the administrative user list for any unrecognized accounts and audit the system logs for API calls originating from unexpected IP addresses.

Compensating Controls: Place the audit software behind a VPN or a Zero Trust Network Access (ZTNA) solution to restrict API access to authorized personnel only.

Public Exploit Available: No

Apply the vendor's patch immediately. Administrative account creation is the "keys to the kingdom," and leaving this vulnerability unpatched is an unacceptable risk to organizational data integrity and compliance posture.