An authentication bypass vulnerability in Roxy-WI allows unauthenticated attackers to access the API, potentially leading to unauthorized system control.

This vulnerability allows for an authentication bypass via the use of an 'api' substring in the URL, specifically targeting the /api/gpt endpoint. This flaw permits unauthenticated interaction with sensitive API functions.

With a CVSS score of 8.8, this vulnerability poses a critical risk to systems managed by Roxy-WI, such as Haproxy, Nginx, and Apache. An unauthenticated attacker could bypass security controls, potentially gaining the ability to modify server configurations, steal sensitive data, or disrupt service availability.

Immediate Action: Update Roxy-WI to a version beyond 8.2.6.4 that includes the fix for the API authentication bypass.

Proactive Monitoring: Audit API access logs for unauthorized requests, specifically monitoring for unusual patterns involving the /api/gpt endpoint or requests containing the 'api' string in non-standard locations.

Compensating Controls: Restrict access to the Roxy-WI web interface at the network level, ensuring it is only accessible via a VPN or from trusted administrative IP addresses.

Public Exploit Available: false

Given the ability for unauthenticated users to interact with critical management APIs, this vulnerability must be addressed immediately. Restricting network access is a vital interim step while permanent updates are prepared and deployed.