Back to All Scenarios
PASSEDsecurity / failed_pentest_critical_finding
Failed Penetration Test — Critical RCE Finding in Production
An external penetration test discovers a critical remote code execution vulnerability in the production API through an unsanitized file upload endpoint. The pentester demonstrates full shell access to the application server and lateral movement to the database server.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 18 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Annual penetration test by third-party firm. Critical finding: RCE via file upload. Full shell access achieved. Lateral movement to DB server demonstrated. Production data accessible. Finding requires immediate remediation.
Injected Error Messages (2)
penetration test CRITICAL finding — remote code execution achieved via unsanitized file upload at /v2/upload endpoint, pentester uploaded PHP webshell disguised as JPEG (magic bytes bypass), gained www-data shell on app server 10.20.3.15, escalated to root via kernel exploit CVE-2026-1234, pivoted to database server 10.20.3.20 via stored SSH key, extracted 50 sample records proving database access, CVSS score: 9.8, attack complexity: LOW, no authentication required
production API vulnerability confirmed — /v2/upload endpoint accepts arbitrary file types despite Content-Type validation, server-side file type checking relies only on Content-Type header (easily spoofed), uploaded files stored in web-accessible directory with execute permissions, no WAF coverage for file upload content inspection, vulnerability present since deployment v4.2.0 (6 months ago), immediate patching required before public disclosure deadline
Neural Engine Root Cause Analysis
This is a critical security incident involving a successful penetration test that discovered a remote code execution vulnerability in the /v2/upload endpoint. The pentester achieved full system compromise by exploiting an unsanitized file upload function that allowed PHP webshell execution, followed by privilege escalation and lateral movement to database systems. This is not a traditional system outage but a confirmed security breach requiring immediate containment and remediation.
Remediation Plan
1. IMMEDIATE: Disable /v2/upload endpoint and take affected systems offline 2. Isolate compromised servers (10.20.3.15, 10.20.3.20) from network 3. Preserve forensic evidence and logs 4. Rotate all SSH keys and database credentials 5. Patch kernel vulnerability CVE-2026-1234 6. Implement proper file upload validation and sanitization 7. Conduct full security audit and malware scan 8. Rebuild compromised systems from clean images 9. Implement additional monitoring and access controls 10. Coordinate with security team and legal/compliance as required
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckevna08zqobqenc1jerzh