Critical Authentication Bypass in Orion-Web LLM Tool Generation Allowed Remote Code Execution

A critical security flaw in the Orion-Web platform left an LLM-powered tool generation endpoint completely unauthenticated, exposing systems to arbitrary shell command execution. The vulnerability, tracked as SOC 2 corrective action CR-005, allowed attackers to craft malicious tool descriptions that the LLM would transform into executable commands—commands that the system's gateway would then store and run with full system access.

The attack chain was straightforward and devastating in its simplicity. Without any authentication barrier, a threat actor could submit a crafted description to the endpoint, instructing the LLM to generate a tool definition. The LLM would return a command—potentially including reverse shells, outbound requests, or access to sensitive files like /etc/shadow—that the gateway would subsequently execute. No input validation, no output sanitization, and no authentication stood between the attacker and remote code execution.

The fix implements four distinct defensive layers. First, the endpoint now requires authenticated users. Second, input validation enforces a 500-character limit and blocks suspicious keywords such as exfil, reverse, bind, and shell. Third, the LLM system prompt explicitly prohibits dangerous command patterns and restricts output to safe, read-only operations. Fourth, and most critically, post-generation command sanitization blocks dangerous patterns—including pipe operators (||, &&), command substitution ($(), backticks), and semicolons—before the command reaches the gateway. Organizations running Orion-Web should verify their deployments reflect these controls immediately.