An authenticated administrative vulnerability in MISP allows for arbitrary code execution through the manipulation of Kafka configuration file paths.

This vulnerability occurs because the MISP application fails to properly sanitize the Kafka_rdkafka_config setting. An authenticated site administrator can supply an arbitrary path to a malicious INI file, which is then parsed by rdkafka, leading to the execution of arbitrary code.

With a CVSS score of 9.3, this flaw enables a malicious or compromised administrator to achieve full system control. The ability to execute arbitrary code with the privileges of the MISP process could lead to total data loss, unauthorized access to threat intelligence, and the compromise of connected security systems.

Immediate Action: Update MISP to the latest version, which restricts configuration settings to approved directories, and ensure that filesystem permissions are tightly controlled.

Proactive Monitoring: Monitor server logs for unauthorized modifications to configuration files or anomalous processes initiated by the MISP user account.

Compensating Controls: Ensure that the MISP webroot and upload directories are non-executable and reside on a read-only filesystem where possible to prevent the hosting of malicious configuration files.

Public Exploit Available: Unknown

While this vulnerability requires administrative access, the risk of privilege escalation and full system compromise is extreme. Organizations should patch immediately and strictly enforce the principle of least privilege for all administrative accounts within the MISP platform.