Critical Remote Code Execution Vulnerability in Craft CMS (CVE-2024-56145)

ISGroup Cybersecurity

Assetnote researchers have identified a critical zero-day vulnerability in Craft CMS, a widely used content management system with over 100,000 customers. This vulnerability, tracked as CVE-2024-56145, allows unauthenticated attackers to perform remote code execution (RCE) under default PHP configurations. With 50,915 Craft CMS instances exposed online, the vulnerability poses a serious threat to affected systems.

ProductCraft Commerce,Craft CMS
Date2024-12-25 17:57:25
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability affects the following versions of Craft CMS:

  • 5.0.0-RC1 (inclusive) up to 5.5.2 (exclusive)
  • 4.0.0-RC1 (inclusive) up to 4.13.2 (exclusive)
  • 3.0.0 (inclusive) up to 3.9.14 (exclusive)

When register_argc_argv is enabled (the default setting in PHP), attackers can exploit the command-line argument handling in the Craft CMS bootstrap process, achieving unauthenticated remote code execution via template injection.

Craft CMS versions 5.5.2, 4.13.2, and 3.9.14 contain the patches that resolve this vulnerability. Users of the affected versions are strongly advised to update immediately.

Recommendations

To mitigate the risk of exploitation:

  1. Update Craft CMS:
    • Upgrade to version 5.5.2 (for 5.x users), 4.13.2 (for 4.x users), or 3.9.14 (for 3.x users).
  2. Disable register_argc_argv:
    • Temporarily mitigate the vulnerability by disabling this setting in the php.ini file: register_argc_argv = Off
  3. Verify exposed instances:
    • Identify exposed Craft CMS installations and verify that they are using secure versions.

[Callforaction-THREAT-Footer]