A critical authentication bypass in the Faction framework allows unauthenticated attackers to perform unauthorized template management operations.

The AccessControlInterceptor fails to validate sessions for Struts2 actions, and several boilerplate configuration methods perform no local session checks. This allows an unauthenticated attacker to interact with the system's template management functions.

With a CVSS score of 9.8, this flaw allows an unauthenticated attacker to compromise the integrity of the PenTesting reports and templates. This could lead to the permanent loss of documentation, data tampering, or the injection of malicious content into future reports.

Immediate Action: Update the Faction PenTesting Framework to version 1.8.3 or later.

Proactive Monitoring: Monitor application logs for unauthorized access to configuration actions and audit the integrity of boilerplate templates.

Compensating Controls: Place the Faction instance behind a VPN or restricted network and implement additional authentication layers if possible.

Public Exploit Available: True

Organizations using the Faction PenTesting Framework must update to version 1.8.3 immediately. Because an exploit is publicly available, the risk of unauthenticated access to sensitive PenTesting report templates is extreme.