Assetnote researchers have identified a critical zero-day vulnerability in Craft CMS, a widely used content management system with over 100,000 customers. This vulnerability, tracked as CVE-2024-56145, allows unauthenticated attackers to perform remote code execution (RCE) under default PHP configurations. With 50,915 Craft CMS instances exposed online, the vulnerability poses a serious threat to affected systems.
| Product | Craft Commerce,Craft CMS |
| Date | 2024-12-25 17:57:25 |
| Information |
|
Technical Summary
The vulnerability affects the following versions of Craft CMS:
- 5.0.0-RC1 (inclusive) up to 5.5.2 (exclusive)
- 4.0.0-RC1 (inclusive) up to 4.13.2 (exclusive)
- 3.0.0 (inclusive) up to 3.9.14 (exclusive)
When register_argc_argv is enabled (the default setting in PHP), attackers can exploit the command-line argument handling in the Craft CMS bootstrap process, achieving unauthenticated remote code execution via template injection.
Craft CMS versions 5.5.2, 4.13.2, and 3.9.14 contain the patches that resolve this vulnerability. Users of the affected versions are strongly advised to update immediately.
Recommendations
To mitigate the risk of exploitation:
- Update Craft CMS:
- Upgrade to version 5.5.2 (for 5.x users), 4.13.2 (for 4.x users), or 3.9.14 (for 3.x users).
- Disable
register_argc_argv:- Temporarily mitigate the vulnerability by disabling this setting in the
php.inifile:register_argc_argv = Off
- Temporarily mitigate the vulnerability by disabling this setting in the
- Verify exposed instances:
- Identify exposed Craft CMS installations and verify that they are using secure versions.
[Callforaction-THREAT-Footer]
