A critical command injection vulnerability in Roxy-WI allows authenticated users to execute arbitrary code on managed load balancers via malformed HAProxy configurations.

The vulnerability exists in the HAProxy configuration endpoints, which fail to validate or escape user-supplied JSON input. An attacker can inject malicious directives, such as external-check, to execute arbitrary system commands as the haproxy user during health checks.

The CVSS score of 9.9 reflects the high potential for Remote Code Execution (RCE). Successful exploitation grants the attacker persistent command execution on the load balancer, which can be leveraged to intercept traffic, pivot into internal networks, or compromise the entire web application infrastructure.

Immediate Action: Restrict access to the Roxy-WI interface and disable the ability for non-admin users to modify HAProxy configurations.

Proactive Monitoring: Monitor for suspicious HAProxy configuration updates or unexpected command execution originating from the haproxy user account.

Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to block requests containing HAProxy directives or unexpected command sequences until a patch is released.

Public Exploit Available: False

The absence of a patch requires immediate defensive measures to limit the attack surface. Administrators should limit access to the configuration features of Roxy-WI and monitor all service reloads for the injection of unauthorized directives.