cbcvebase.
CVE-2024-2053
published 2024-03-21

CVE-2024-2053: The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
44.58%
98.6th percentile
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.

Affected

4 ranges
VendorProductVersion rangeFixed in
artica_techartica_proxy
artica_techartica_proxy
articatechartica_proxy
articatechartica_proxy

Detection & IOCsextracted from sources · hover to see the quote

url/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd
path/images.listener.php
yara
body matches /root:.*:0:0:/
  • HTTP GET requests to /images.listener.php with a 'mailattach' parameter containing path traversal sequences (..././) should be flagged as LFI exploitation attempts against Artica Proxy.
  • Responses containing 'application/force-download' in the body combined with a 200 status code from /images.listener.php indicate successful LFI exploitation.
  • Shodan/FOFA fingerprint for exposed Artica Proxy instances: search for HTTP HTML containing 'artica' or body containing 'artica'.
  • The path traversal bypass uses the obfuscated sequence '..././' (not standard '../') to evade LFI protections in Artica Proxy's administrative web application.
  • ·The vulnerability affects Artica Proxy version 4.50 specifically; the CPE in the template references 4.40, so detection should cover both versions.
  • ·Code execution occurs as the 'www-data' user; file read access is scoped to that user's privileges, meaning not all files may be accessible.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.