External risk intelligence

Attacker can take over Creartia ICMS admin access without a password

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-4320

Creartia ICMS has a critical flaw allowing anyone to bypass login and gain admin access by tricking the system with a fake redirect. This internet-accessible vulnerability could lead to unauthorized control of your website or data.

4Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2026-4320

The vulnerability affects the login workflow of a Content Management System. CMS platforms are web-based applications commonly deployed as internet-facing services to manage content, making their authentication interfaces, including the login portal, frequently accessible from the public internet in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An authorization bypass vulnerability in Creartia's ICMS software allows unauthorized access to protected features. Attackers can exploit a flaw in the login process by manipulating HTTP redirect headers, enabling them to escalate privileges without needing credentials. This is significant because it bypasses the primary security control of authentication.

  • Gaining unauthorized system access.
  • Affecting systems accessible from the internet.
  • Bypassing login authentication.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a crafted HTTP request to the login page of Creartia's ICMS. By manipulating the redirect headers, they can bypass authentication checks and gain access to protected features, effectively escalating their privileges without needing valid credentials.

  • Unauthenticated remote attacker can exploit.
  • Targets the login process.
  • Relies on manipulated redirect headers.

Live Threat

Current exploitation, exposure, and threat context

This authorization bypass in Creartia's ICMS software appears to be a notable target for attackers. Exploiting the redirect header manipulation to bypass login and gain unauthorized access is a direct path to compromising sensitive data or system control. Such vulnerabilities in content management systems are attractive because they are often internet-facing and central to an organization's digital presence.

  • No known exploitation in the wild.
  • Public exploit code is not yet available.
  • No recent significant threat signals observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking and review of internet-facing ICMS login endpoints for suspicious redirect manipulation attempts. Actively monitor for signs of unauthorized access or privilege escalation following any detected bypasses. Given the critical severity and potential for exploitation via network, immediate containment is advised.

  • Isolate or take offline affected ICMS services.
  • Implement strict input validation on HTTP redirect headers.
  • Enhance logging and monitoring for authentication anomalies.

Frequently asked questions

What is Creartia's ICMS software used for?

Creartia's ICMS is a content management system. People use it to manage content for websites and other digital platforms.

What kind of weakness does CVE-2026-4320 represent?

CVE-2026-4320 is an authorization bypass vulnerability. This means it allows someone to access things they shouldn't be able to, without going through the normal security checks.

How can an attacker trigger this vulnerability?

An attacker can exploit this by sending a specially crafted HTTP request to the login page. They would manipulate the redirect headers during the login process to bypass authentication.

Who should be concerned about this CVE-2026-4320 threat?

Organizations running Creartia's ICMS that is accessible from the internet should be concerned. This is because the vulnerability affects how users log in and could be reached by remote attackers.

What is the first step for dealing with this threat?

The immediate first step is to isolate or take offline any affected ICMS services. This prevents potential attackers from exploiting the vulnerability while other mitigation steps are prepared.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished