📄 Description (English)
A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-2896 is a high-severity authorization bypass vulnerability in FunAdmin up to version 7.1.0-rc4 affecting the Configuration Handler component. An attacker can remotely manipulate the setConfig function in Ajax.php to bypass authorization controls, potentially gaining unauthorized administrative access. With public exploit availability and unresponsive vendor, immediate patching is critical for all Saudi organizations using this platform.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 5, 2026 19:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies, municipalities, and private sector organizations using FunAdmin for administrative management. High-risk sectors include: Government (NCA, CITC) — potential compromise of administrative configurations; Banking & Financial Services — unauthorized access to system settings affecting transaction processing; Healthcare (MOH) — compromise of patient data management systems; Telecommunications (STC, Mobily) — unauthorized modification of network configurations; Energy Sector (ARAMCO, SEC) — critical infrastructure configuration tampering. The authorization bypass could enable privilege escalation and lateral movement within affected systems.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Healthcare
Energy & Utilities
Telecommunications
Education
Retail & E-commerce
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Bypass User Account Control
T1078 - Valid Accounts
T1078.001 - Default Accounts
T1098 - Account Manipulation
T1098.002 - Exchange Email Delegate Permissions
T1190 - Exploit Public-Facing Application
T1133 - External Remote Services
T1556 - Modify Authentication Process
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of FunAdmin versions up to 7.1.0-rc4 in your environment using asset discovery tools
2. Isolate affected systems from production networks if patching cannot be completed within 24 hours
3. Review access logs for Ajax.php setConfig function calls for suspicious activity (timestamps, source IPs, parameter values)
4. Check for unauthorized configuration changes in the past 30 days
PATCHING GUIDANCE:
1. Upgrade FunAdmin to version 7.1.0 final release or later immediately
2. If immediate upgrade is not possible, apply vendor security patches when available
3. Test patches in staging environment before production deployment
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to block POST requests to Ajax.php containing setConfig parameters
2. Restrict network access to Ajax.php to authorized administrative IP ranges only
3. Implement request signing/validation at the application layer
4. Enable detailed logging and alerting for all configuration changes
5. Implement rate limiting on Ajax.php endpoints
DETECTION RULES:
1. Monitor for POST requests to /app/backend/controller/Ajax.php with setConfig function calls
2. Alert on configuration file modifications outside of scheduled maintenance windows
3. Track failed authorization attempts followed by successful configuration changes
4. Monitor for unusual parameter values in setConfig requests (SQL injection patterns, command injection attempts)
5. Implement SIEM rules to correlate multiple failed auth attempts with successful config changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ FunAdmin حتى الإصدار 7.1.0-rc4 في بيئتك باستخدام أدوات اكتشاف الأصول
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إذا لم يتمكن من إكمال التصحيح خلال 24 ساعة
3. مراجعة سجلات الوصول لوظيفة setConfig في Ajax.php للنشاط المريب (الطوابع الزمنية وعناوين IP المصدر وقيم المعاملات)
4. التحقق من التغييرات غير المصرح بها في التكوين خلال آخر 30 يوماً
إرشادات التصحيح:
1. ترقية FunAdmin إلى الإصدار 7.1.0 النهائي أو أحدث على الفور
2. إذا لم يكن الترقية الفورية ممكنة، قم بتطبيق تصحيحات الأمان من البائع عند توفرها
3. اختبر التصحيحات في بيئة التجريب قبل نشرها في الإنتاج
عناصر التحكم البديلة (إذا تأخر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات POST إلى Ajax.php التي تحتوي على معاملات setConfig
2. تقييد الوصول إلى الشبكة إلى Ajax.php لنطاقات عناوين IP الإدارية المصرح بها فقط
3. تنفيذ التوقيع/التحقق من الطلب على مستوى التطبيق
4. تفعيل السجلات التفصيلية والتنبيهات لجميع تغييرات التكوين
5. تنفيذ تحديد معدل على نقاط نهاية Ajax.php
قواعد الكشف:
1. مراقبة طلبات POST إلى /app/backend/controller/Ajax.php مع استدعاءات وظيفة setConfig
2. التنبيه على تعديلات ملفات التكوين خارج نوافذ الصيانة المجدولة
3. تتبع محاولات التفويض الفاشلة متبوعة بتغييرات تكوين ناجحة
4. مراقبة قيم المعاملات غير العادية في طلبات setConfig (أنماط حقن SQL وأنماط حقن الأوامر)
5. تنفيذ قواعد SIEM لربط محاولات المصادقة الفاشلة المتعددة مع تغييرات التكوين الناجحة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authorization controls
ECC 2024 A.9.4.3 - Password management and access control
ECC 2024 A.12.4.1 - Event logging and monitoring
ECC 2024 A.12.4.3 - Administrator and operator logs
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware asset management
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.CM-1 - System monitoring and anomaly detection
SAMA CSF DE.AE-1 - Audit and accountability mechanisms
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.12.4 - Logging
ISO 27001:2022 A.14.2 - Secure development policy and procedures
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default vendor-supplied passwords
PCI DSS 6.2 - Security patches and updates
PCI DSS 7.1 - Limit access to system components
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 5
🔗
https://github.com/I4m6da/CVE/issues/3
cna@vuldb.com
Exploit
Issue Tracking
🔗
https://github.com/I4m6da/CVE/issues/3#issue-3884949083
cna@vuldb.com
Exploit
Issue Tracking
🔗
https://vuldb.com/?ctiid.347207
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347207
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.753972
cna@vuldb.com
Third Party Advisory
VDB Entry
📦 Affected Products / CPE 5 entries
funadmin:funadmin
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0