A critical command injection vulnerability in the Unraid Web Server allows unauthenticated remote attackers to execute arbitrary code on the underlying host.

This vulnerability exists due to improper sanitization of user-supplied input within the ToggleState command function, enabling command injection. An unauthenticated attacker can leverage this flaw to execute system-level commands remotely.

The ability for an unauthenticated attacker to execute arbitrary code poses a severe risk to data integrity, confidentiality, and system availability. With a CVSS score of 8.8, this vulnerability could lead to a complete system compromise, unauthorized access to stored data, and potential lateral movement within the network, resulting in significant operational disruption and reputational damage.

Immediate Action: Apply all available security patches provided by Unraid immediately, prioritizing internet-facing instances.

Proactive Monitoring: Review web server access logs for anomalous request patterns or suspicious command strings directed at the ToggleState endpoint.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block common command injection payloads.

Public Exploit Available: false

Given the high CVSS score and the potential for remote code execution, this vulnerability represents a significant threat to the environment. Administrators should verify their current version status against vendor bulletins and apply updates immediately. If patching is not immediately feasible, restrict access to the web interface to trusted management networks.