CVE-2022-41544
published 2022-10-18CVE-2022-41544: GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.44%
94.8th percentile
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| get-simple | getsimple_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to admin/theme-edit.php containing the 'edited_file' parameter, which is the injection point for RCE in GetSimple CMS v3.3.16. ↗
- →The exploit leaks the API key from the CMS installation (api_leak function) and uses it to forge authentication cookies before uploading a PHP reverse shell — detect unauthenticated or anomalous API key retrieval requests followed by theme-edit POST activity. ↗
- →The exploit fetches a CSRF nonce (nonce = get_csrf_token) and then calls upload_shell followed by shell_trigger — look for rapid sequential GET then POST requests to admin endpoints from the same source IP. ↗
- →The PHP reverse shell payload uses proc_open() with file descriptors redirected to a raw TCP socket — detect PHP files in the theme directory containing 'proc_open' combined with socket descriptor redirection patterns ($sock, 1 => $sock, 2 => $sock). ↗
- ·The exploit targets specifically GetSimple CMS v3.3.16; version detection is performed by the attacker before exploitation, so ensure version strings are not exposed in page source. ↗
- ·Authentication is bypassed via API key leakage combined with forged cookies (set_cookies using username, version, and apikey) — the vulnerability is exploitable even without knowing valid credentials if the API key is accessible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-10-18
Published