MK-Auth version 23.01K4.9 contains an arbitrary file upload flaw that lets an attacker place a PHP file on the server and have it executed. The vulnerability arises because uploaded files are stored without type validation or execution restrictions, enabling the attacker to run arbitrary code on the host. Such code execution could compromise system confidentiality, integrity, and availability for any user who can access the upload functionality.

The flaw affects the MK-Auth application, specifically the 23.01K4.9 release. No additional versions or vendors are listed in the CVE record. Administrators of systems running this release should verify the exact deployment and identify any active upload endpoints.

The vulnerability is highly exploitable for an attacker with network access to the MK-Auth instance. Because the upload interface is likely exposed over HTTP, the attack vector is remote. The CVSS score is not provided, but the presence of RCE and lack of mitigation imply a severe risk. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog at this time. If the upload directory is reachable, an attacker can proceed without authentication or with minimal credentials, making exploitation straightforward.