An authentication bypass in Roxy-WI allows any authenticated user, including low-privilege guests, to perform unauthorized administrative actions on managed servers.

The vulnerability is caused by missing decorators on sensitive endpoints, which fail to verify the user's role or group access. Consequently, any authenticated user can trigger management tasks, such as installing WAF or GeoIP databases, using the underlying server's high-privilege Ansible credentials.

With a CVSS score of 9.9, this vulnerability allows for lateral movement and unauthorized control over load balancers and web servers. An attacker could reconfigure security appliances or deploy malicious code, leading to total compromise of the managed infrastructure and potential cross-tenant data access.

Immediate Action: Implement strict access control lists (ACLs) to limit access to the Roxy-WI interface to trusted administrators only.

Proactive Monitoring: Audit system logs for unexpected task execution or configuration changes initiated by low-privilege user accounts.

Compensating Controls: Place the Roxy-WI management interface behind a VPN or within an isolated network segment to prevent unauthorized access, as no patch is currently available.

Public Exploit Available: False

Because no official patch exists, organizations must immediately restrict access to the Roxy-WI interface and audit user roles. Applying compensating network-level controls is critical to mitigate the risk of unauthorized administrative actions until a vendor update is released.