📄 Description (English)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.
🤖 AI Executive Summary
Roxy-WI versions prior to 8.2.6.4 contain a critical command injection vulnerability in the /config/<service>/find-in-config endpoint that allows authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from insufficient sanitization of the 'words' parameter before embedding it into shell commands executed via SSH. This affects organizations managing Haproxy, Nginx, Apache, and Keepalived infrastructure across Saudi Arabia's critical sectors.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 19:25
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations managing critical infrastructure: (1) Energy Sector (ARAMCO, SEC) — Roxy-WI commonly manages load balancers for SCADA and operational networks; (2) Banking & Financial Services (SAMA-regulated institutions, STC Finance) — impacts web service infrastructure and payment processing systems; (3) Government & Defense (NCA, NCSC, Ministry of Interior) — affects administrative and security infrastructure; (4) Telecommunications (STC, Mobily, Zain) — impacts network management and service delivery platforms; (5) Healthcare (MOH, private hospitals) — affects patient data systems and medical service delivery. The authenticated requirement is mitigated by the prevalence of insider threats and compromised credentials in Saudi organizations.
🏢 Affected Saudi Sectors
Energy & Utilities (ARAMCO, SEC, power generation)
Banking & Financial Services (SAMA-regulated banks, investment firms)
Government & Defense (NCA, NCSC, Ministry of Interior, Ministry of Defense)
Telecommunications (STC, Mobily, Zain, regional carriers)
Healthcare (MOH, private hospitals, medical centers)
Critical Infrastructure (water, transportation, logistics)
Large Enterprises (any organization using Roxy-WI for load balancer management)
🎯 MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application (Roxy-WI web interface)
T1059.004 — Command and Scripting Interpreter: Unix Shell (shell command injection)
T1548.003 — Abuse Elevation Control Mechanism: Sudo and Sudo Caching (sudo privilege escalation)
T1021.006 — Remote Service Session Initiation: SSH (SSH-based command execution)
T1021.004 — Remote Service Session Initiation: SSH (lateral movement via managed servers)
T1078.001 — Valid Accounts: Default Accounts (compromised Roxy-WI credentials)
T1133 — External Remote Services (Roxy-WI as attack vector)
T1570 — Lateral Tool Transfer (moving between managed servers)
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Roxy-WI instances in your environment using network scanning and asset inventory tools
2. Restrict access to Roxy-WI web interface to trusted IP ranges only via firewall rules
3. Review SSH access logs and sudo command history on all managed servers for suspicious activity
4. Disable the /config/*/find-in-config endpoint if not actively used
PATCHING:
1. Upgrade Roxy-WI to version 8.2.6.4 or later immediately
2. Test patches in non-production environment first
3. Verify patch application by checking version in Roxy-WI admin panel
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block requests containing shell metacharacters (|, ;, &, $, `, >, <, \n) in the 'words' parameter
2. Configure SSH key-based authentication only (disable password auth)
3. Implement command auditing on managed servers: auditctl -w /usr/bin/sudo -p x
4. Use sudo restrictions: limit Roxy-WI service account to specific commands only
5. Enable MFA for Roxy-WI administrative access
DETECTION RULES:
1. Monitor for HTTP requests to /config/*/find-in-config with special characters in parameters
2. Alert on unexpected sudo command execution from Roxy-WI service account
3. Monitor SSH sessions from Roxy-WI server for command injection patterns
4. Log and alert on any modification to managed server configurations outside normal change windows
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Roxy-WI في بيئتك باستخدام أدوات المسح الشبكي وجرد الأصول
2. تقييد الوصول إلى واجهة Roxy-WI على نطاقات IP موثوقة فقط عبر قواعد جدار الحماية
3. مراجعة سجلات الوصول SSH وسجل أوامر sudo على جميع الخوادم المُدارة للنشاط المريب
4. تعطيل نقطة النهاية /config/*/find-in-config إذا لم تكن قيد الاستخدام النشط
التصحيح:
1. ترقية Roxy-WI إلى الإصدار 8.2.6.4 أو أحدث على الفور
2. اختبار التصحيحات في بيئة غير الإنتاج أولاً
3. التحقق من تطبيق التصحيح بالتحقق من الإصدار في لوحة إدارة Roxy-WI
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على أحرف metacharacters (|, ;, &, $, `, >, <, \n) في معامل 'words'
2. تكوين المصادقة القائمة على مفتاح SSH فقط (تعطيل مصادقة كلمة المرور)
3. تنفيذ تدقيق الأوامر على الخوادم المُدارة: auditctl -w /usr/bin/sudo -p x
4. استخدام قيود sudo: حد من حساب خدمة Roxy-WI إلى أوامر محددة فقط
5. تفعيل MFA للوصول الإداري إلى Roxy-WI
قواعد الكشف:
1. مراقبة طلبات HTTP إلى /config/*/find-in-config بأحرف خاصة في المعاملات
2. تنبيه على تنفيذ أوامر sudo غير متوقعة من حساب خدمة Roxy-WI
3. مراقبة جلسات SSH من خادم Roxy-WI لأنماط حقن الأوامر
4. تسجيل والتنبيه على أي تعديل على تكوينات الخادم المُدار خارج نوافذ التغيير العادية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 — Access Control Policies (authentication bypass risk)
ECC 2024 A.5.2.1 — User Registration and Access Rights Management
ECC 2024 A.6.1.1 — Information Security Policies and Procedures
ECC 2024 A.8.2.1 — User Access Management
ECC 2024 A.12.4.1 — Event Logging (detection and monitoring)
ECC 2024 A.12.6.1 — Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 — Asset Management (inventory of Roxy-WI instances)
SAMA CSF PR.AC-1 — Access Control (authentication and authorization)
SAMA CSF PR.DS-2 — Data Security (protection of managed server configurations)
SAMA CSF DE.CM-1 — Detection and Analysis (monitoring for exploitation)
SAMA CSF RS.MI-2 — Incident Response (containment of RCE)
SAMA CSF RC.RP-1 — Recovery Planning (restoration of compromised systems)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 — Policies for Information Security
ISO 27001:2022 A.5.2 — Information Security Roles and Responsibilities
ISO 27001:2022 A.6.1 — Screening (vetting of administrators)
ISO 27001:2022 A.8.1 — User Endpoint Devices (securing Roxy-WI access)
ISO 27001:2022 A.8.2 — Privileged Access Rights (sudo privilege management)
ISO 27001:2022 A.8.3 — Information Access Restriction
ISO 27001:2022 A.12.6 — Management of Technical Vulnerabilities
ISO 27001:2022 A.13.1 — Network Security (SSH hardening)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 — Default Security Parameters (Roxy-WI configuration hardening)
PCI DSS 6.2 — Security Patches (timely patching requirement)
PCI DSS 7.1 — Access Control (limiting administrative access)
PCI DSS 8.1 — User Identification and Authentication
PCI DSS 10.2 — Logging and Monitoring (detection of exploitation)
🔗 References & Sources 3
🔗
https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de
security-advisories@github.com
Patch
🔗
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
roxy-wi:roxy-wi