📄 Description (English)
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-2898 is a remote code execution vulnerability in FunAdmin up to version 7.1.0-rc4 caused by unsafe deserialization in the AuthCloudService component. An attacker can manipulate the 'cloud_account' parameter to execute arbitrary code on affected systems. With public exploits available and no vendor patch forthcoming, this poses an immediate threat to organizations using FunAdmin for backend authentication services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 25, 2026 23:47
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using FunAdmin for backend authentication and cloud account management, particularly in: Government agencies (NCA, CITC) managing citizen identity systems; Banking sector (SAMA-regulated institutions) using FunAdmin for customer authentication; Healthcare providers (MOH) managing patient data access; Telecommunications companies (STC, Mobily) handling subscriber authentication; E-commerce and fintech platforms managing user credentials. The lack of vendor support and public exploit availability elevates risk significantly for critical infrastructure.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Telecommunications
E-commerce
Fintech
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running FunAdmin versions up to 7.1.0-rc4 across your infrastructure
2. Isolate affected systems from production networks if possible, or implement network segmentation
3. Disable or restrict access to the getMember endpoint in AuthCloudService.php
4. Monitor authentication logs for suspicious cloud_account parameter values
COMPENSATING CONTROLS (until patch available):
5. Implement Web Application Firewall (WAF) rules to block requests with serialized PHP objects in cloud_account parameter
6. Add input validation to reject any cloud_account values containing 'O:' or other serialization markers
7. Implement strict rate limiting on authentication endpoints
8. Enable comprehensive logging and alerting on deserialization attempts
DETECTION RULES:
- Monitor for POST requests to AuthCloudService endpoints with base64-encoded or serialized data in cloud_account parameter
- Alert on PHP object instantiation patterns in authentication logs
- Track unusual process execution from PHP-FPM or web server processes
LONG-TERM:
9. Evaluate alternative authentication solutions or FunAdmin forks with security patches
10. Plan migration away from FunAdmin if vendor remains unresponsive
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بإصدارات FunAdmin حتى 7.1.0-rc4 عبر البنية التحتية
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن، أو تطبيق تقسيم الشبكة
3. تعطيل أو تقييد الوصول إلى نقطة نهاية getMember في AuthCloudService.php
4. مراقبة سجلات المصادقة للقيم المريبة في معامل cloud_account
الضوابط التعويضية (حتى توفر التصحيح):
5. تطبيق قواعد جدار حماية تطبيقات الويب لحجب الطلبات التي تحتوي على كائنات PHP المسلسلة في معامل cloud_account
6. إضافة التحقق من صحة الإدخال لرفض أي قيم cloud_account تحتوي على 'O:' أو علامات تسلسل أخرى
7. تطبيق تحديد معدل صارم على نقاط نهاية المصادقة
8. تفعيل التسجيل الشامل والتنبيهات على محاولات فك التسلسل
قواعد الكشف:
- مراقبة طلبات POST إلى نقاط نهاية AuthCloudService ببيانات مشفرة بـ base64 أو مسلسلة في معامل cloud_account
- التنبيه على أنماط إنشاء كائنات PHP في سجلات المصادقة
- تتبع تنفيذ العمليات غير المعتادة من عمليات PHP-FPM أو خادم الويب
المدى الطويل:
9. تقييم حلول المصادقة البديلة أو فروع FunAdmin مع تصحيحات الأمان
10. التخطيط للهجرة بعيداً عن FunAdmin إذا ظل البائع غير مستجيب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies (vendor unresponsiveness)
ECC 2024 A.5.2.1 - Access Control (authentication endpoint compromise)
ECC 2024 A.5.3.1 - Cryptography (deserialization bypass)
ECC 2024 A.5.4.1 - Physical and Environmental Security (backend system compromise)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (identify FunAdmin deployments)
SAMA CSF PR.AC-1 - Access Control (authentication compromise)
SAMA CSF PR.DS-2 - Data Security (serialized object injection)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring deserialization)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (authentication bypass)
ISO 27001:2022 A.5.18 - Cryptography (unsafe deserialization)
ISO 27001:2022 A.5.23 - Information Security Incident Management (breach response)
ISO 27001:2022 A.8.1 - Organizational Controls (vendor management)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Vendor Responsibility (unresponsive vendor)
PCI DSS 6.2 - Secure Development (code review for deserialization)
PCI DSS 6.5.1 - Injection Flaws (object injection vulnerability)
🔗 References & Sources 5
🔗
https://github.com/I4m6da/CVE/issues/5
cna@vuldb.com
Exploit
Issue Tracking
🔗
https://github.com/I4m6da/CVE/issues/5#issue-3890444166
cna@vuldb.com
Exploit
Issue Tracking
🔗
https://vuldb.com/?ctiid.347209
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347209
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.753976
cna@vuldb.com
Third Party Advisory
VDB Entry
📦 Affected Products / CPE 5 entries
funadmin:funadmin
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0
funadmin:funadmin:7.1.0