Overview
- The vulnerability, tracked as CVE-2026-23550 with a CVSS score of 10.0, affects Modular DS versions up to and including 2.5.1 and enables unauthenticated privilege escalation.
- Exploitation was first observed on January 13 around 02:00 UTC with HTTP GET requests to /api/modular-connector/login/ and attempts to create administrator accounts.
- Observed activity has been linked to requests from IP addresses 45.11.89.19 and 185.196.0.11, targeting routes that expose login, server information, management, and backup functions.
- Patchstack attributes the flaw to combined design choices, including permissive direct-request handling via origin=mo and type parameters, URL-based route matching, authentication tied only to site connection state, and an automatic administrator login fallback.
- Modular DS version 2.5.2 replaces URL-based route matching with validated filter logic, adds a default 404 route and safer failure modes, and users are advised to upgrade immediately, review logs for /api/modular-connector/ requests, check for rogue admins, and regenerate WordPress salts.