Executive Summary
A critical missing authentication vulnerability (CVE-2026-4312) has been disclosed in DrangSoft's GCB/FCB Audit Software, a financial auditing platform. The flaw carries a CVSS score of 9.8 (Critical) and allows unauthenticated remote attackers to directly invoke certain administrative APIs to create new administrator accounts — granting complete, persistent control over the affected system with zero credentials required.
CVSS Score: 9.8 (Critical)
Published to the NVD on March 17, 2026, this vulnerability (CWE-306 — Missing Authentication for Critical Function) represents one of the most severe authentication failures possible: privileged API endpoints are reachable over the network without any form of credential or session validation. No patch is currently available.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4312 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-306: Missing Authentication for Critical Function |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Component | Administrative API endpoints |
| Root Cause | No authentication enforced before accessing critical admin APIs |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| DrangSoft | GCB/FCB Audit Software | All versions | None available |
Vulnerability Details
Missing Authentication on Administrative APIs
The GCB/FCB Audit Software exposes administrative API endpoints that perform privileged operations — including creating new administrator accounts — without enforcing any authentication checks. Any network-accessible attacker can invoke these APIs directly by sending crafted HTTP requests to the application.
The attack flow is straightforward:
1. Attacker identifies a GCB/FCB Audit Software instance exposed on the network
2. Attacker sends a crafted API request to the unauthenticated admin endpoint
3. The application processes the request without validating credentials or session tokens
4. A new administrator account is created with attacker-specified credentials
5. Attacker logs in as administrator — full system control achievedImpact of Successful Exploitation
Once an attacker creates a rogue administrator account, they have unrestricted access to:
- All financial audit data stored in the system
- All user accounts and credentials managed by the software
- Configuration and audit trail manipulation — covering tracks or falsifying records
- Lateral movement using credentials or data extracted from the audit platform
- Persistent backdoor access — admin accounts survive reboots and updates
Attack Surface
| Surface | Risk Level | Description |
|---|---|---|
| Internet-exposed instances | Critical | Any GCB/FCB instance reachable from the public internet is trivially compromised |
| Internal network exposure | High | Attackers with internal network access (VPN breach, insider, lateral movement) can escalate immediately |
| Cloud-hosted deployments | High | Misconfigured cloud instances without firewall rules are directly exploitable |
| Audit firm networks | Critical | Financial audit environments typically contain highly sensitive client data |
Risk Context
GCB/FCB Audit Software is used in financial and compliance auditing workflows. Successful exploitation of this vulnerability would give attackers access to:
- Confidential financial records and audit findings
- Personally identifiable information of individuals under audit
- Corporate financial data subject to regulatory protection
- Credentials or API keys stored within the audit platform
Given the nature of the data involved, organizations using this software are at risk of regulatory penalties, data breach notification obligations, and reputational damage in the event of exploitation.
Recommended Mitigations
Immediate Actions (No Patch Available)
Since no vendor patch exists, organizations must apply compensating controls immediately:
1. Network Isolation
# Block all inbound access to the GCB/FCB application port from untrusted networks
# Example using iptables (adjust port as appropriate)
iptables -I INPUT -p tcp --dport <APP_PORT> -s <TRUSTED_CIDR> -j ACCEPT
iptables -I INPUT -p tcp --dport <APP_PORT> -j DROP2. Place Behind VPN or Zero-Trust Gateway
Move the application off any internet-facing network segment. All access should require VPN authentication before reaching the application.
3. Web Application Firewall (WAF) Rules
Deploy WAF rules to block unauthenticated requests to known admin API paths. Monitor for requests to administrative endpoints originating from unexpected source IPs.
4. Audit Existing Admin Accounts
Immediately review all administrator accounts configured in the system. Revoke any accounts that cannot be traced to a legitimate provisioning event.
5. Monitor for Exploitation Indicators
| Indicator | Description |
|---|---|
| New admin accounts with unfamiliar usernames | Potential backdoor accounts created via the API |
| API requests to admin endpoints without session tokens | Active exploitation attempts |
| Login events from unexpected IP addresses | Use of attacker-created accounts |
| Unexpected changes to audit records or configuration | Post-exploitation tampering |
Vendor Contact
Organizations should contact DrangSoft directly to request a patch timeline and any vendor-provided mitigation guidance. If no response is received, consider suspending use of the software until a fix is available.
Post-Remediation Checklist
- Verify network isolation — confirm the application is not reachable from untrusted network segments
- Audit all admin accounts — remove any accounts that cannot be verified as legitimate
- Review audit logs — check for evidence of unauthenticated API access prior to isolation
- Enable alerting — configure monitoring for admin API access attempts
- Contact vendor — request patch ETA and check vendor security advisories regularly
- Assess data exposure — determine if any unauthorized access occurred before the issue was remediated
References
- CVE-2026-4312 — NVD
- DrangSoft GCB/FCB Audit Software Critical Unauthenticated Admin Creation — TheHackerWire
- CVE-2026-4312: CWE-306 Missing Authentication — OffSeq Threat Radar
- CVE-2026-4312 — THREATINT
- CVE-2026-4312 — Vulnerability-Lookup