External risk intelligence

Roxy-WI Arbitrary File Write Leading to Root RCE

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45556

A vulnerability in Roxy-WI, a web interface for managing servers, allows an attacker to write arbitrary files to any location on the system. This can lead to the execution of commands with root privileges, potentially resulting in a complete compromise of affected load balancers and impacting the services they manage.

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45556

Roxy-WI is a web-based management interface designed to configure and manage load balancers and web servers. Such administrative interfaces are commonly deployed as web applications intended for management access, making them frequently accessible over network segments where they are exposed to administrative users or operators.

PCI scan relevance

PCI Relevance for CVE-2026-45556

Yes

CVE-2026-45556 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for Remote Code Execution as root on load balancers, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

Roxy-WI, a web interface for managing critical server infrastructure, contains a vulnerability that could allow an unauthenticated attacker to execute arbitrary commands as root on affected load balancers. This could lead to a complete compromise of these systems, impacting the availability and integrity of services they manage. The main concern is confirming relevance and exposure.

Attackers can gain full control of servers.
Affects critical load balancer management software.
Confirm if your servers are potentially impacted.

Attack Path

How an attacker could exploit the issue

An attacker can remotely target Roxy-WI, a web interface for server management. By sending a specially crafted POST request to a specific endpoint, an attacker can manipulate file paths, allowing them to write arbitrary content to a file on the server. This leads to the execution of malicious commands with root privileges via the cron service.

Unauthenticated remote network access required.
Attacker-controlled file write to arbitrary path.
Full remote code execution as root.

Live Threat

Current exploitation, exposure, and threat context

Roxy-WI's web interface for managing servers could be exploited to execute arbitrary code as root on load balancers. This occurs when an attacker can trick the system into writing malicious configuration files to arbitrary absolute paths on the filesystem, by leveraging a flaw in how file paths are validated and processed. When supported by the advisory, this could allow an attacker to gain full remote code execution on the affected load balancers.

Root access to load balancers.
Arbitrary file write via crafted path.
Full remote code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Roxy-WI is a web interface for managing critical infrastructure like load balancers and web servers. In a real-world scenario, the application owners are responsible for this tool, with support from infrastructure or platform teams for the underlying environment. The immediate first step is to identify all Roxy-WI instances, assess their exposure and business criticality, and confirm the accountable owner before planning remediation efforts, given the lack of a public patch.

Application owners must manage this issue.
Verify Roxy-WI instances and exposure.
Plan risk-based remediation actions.

Frequently asked questions

What is Roxy-WI?

Roxy-WI is a web-based management interface used to configure and monitor load balancers such as HAProxy, Nginx, Apache, and Keepalived. It simplifies infrastructure administration by providing a centralized dashboard for managing server rules and configurations.

What does CWE-22 in CVE-2026-45556 mean?

CVE-2026-45556 involves Path Traversal, categorized as CWE-22. This weakness allows an attacker to manipulate file paths provided to the software. By bypassing security checks, the attacker can write files to unintended locations on the server's filesystem, leading to unauthorized control.

How can an attacker trigger this vulnerability?

An attacker sends a specially crafted POST request to the WAF rule-saving endpoint. By using encoded slashes in the filename field, they bypass path validation. Importantly, the attack is not triggered if the requested path fails to contain the required service name substring or the necessary configuration file extensions.

Is my Roxy-WI instance at risk?

Halo Surface Signal identifies Roxy-WI as a management tool, which is often hosted on network segments accessible to administrative users. If your instance is exposed to the network, the risk is higher. You should assess whether your deployment is reachable by unauthorized users, as this vulnerability allows remote exploitation.

What steps should I take if no patch exists?

Since there is no public patch, immediately locate all running instances of Roxy-WI. Identify the owners of these systems and restrict network access to the interface as much as possible. Prioritize monitoring your load balancer logs for suspicious file creation activity while you wait for further guidance or security updates from the project.

References

github.com/roxy-wi/roxy-wi/security/advisories/GHSA-85gm-773v-x7m4

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.