cbcvebase.
CVE-2023-29689
published 2023-08-04

CVE-2023-29689: PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.11%
98.5th percentile
PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.

Affected

2 ranges
VendorProductVersion rangeFixed in
pyrocmspyrocms
pyrocmspyrocms0 – 3.9

Detection & IOCsextracted from sources · hover to see the quote

url/admin/login
url/admin/users/roles/edit/1
url/admin/users/roles
command{{["<command>"]|map("system")|join}}
  • Detect SSTI payload pattern in POST body targeting the 'description_en' field on the role-edit endpoint. Look for Twig/template injection syntax using map('system') filter.
  • Monitor authenticated POST requests to /admin/users/roles/edit/1 — exploitation requires admin-level access and targets role 1's description field to inject and execute OS commands.
  • Alert on GET requests to /admin/users/roles immediately following a POST to /admin/users/roles/edit/1 from the same session — this is the attacker harvesting command output from the rendered Description field.
  • Exploitation requires an authenticated session with /admin privilege — correlate login events to /admin/login followed by rapid role-edit activity as a behavioral indicator.
  • ·Exploitation is authenticated — the attacker must first obtain valid admin credentials and successfully log in before the SSTI payload can be delivered.
  • ·The exploit specifically targets role ID 1 (the Admin role) via its description field; other role IDs are not targeted by this PoC.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.