cbcvebase.
CVE-2024-2054
published 2024-03-21

CVE-2024-2054: The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.26%
99.6th percentile
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.

Affected

2 ranges
VendorProductVersion rangeFixed in
artica_techartica_proxy
articatechartica_proxy

Detection & IOCsextracted from sources · hover to see the quote

path/wizard/wiz.upload.php
path/wizard/wiz.wizard.progress.php
port9000
otherbuild-js (query parameter used to deliver serialized PHP object payload)
othercmd (query parameter used to pass OS command for execution)
path/usr/share/artica-postfix/wizard/wiz.upload.php
  • Detect unauthenticated GET requests to /wizard/wiz.wizard.progress.php containing the 'build-js' query parameter with a serialized PHP object payload — this is the deserialization trigger.
  • Detect GET requests to /wizard/wiz.upload.php with a 'cmd' query parameter — this indicates webshell-style command execution following successful deserialization exploitation.
  • Monitor for processes spawned as the 'www-data' user executing unexpected OS commands, which is the post-exploitation execution context for this CVE.
  • The exploit was successfully weaponized via Metasploit (module: exploits/linux/http/artica_proxy_unauth_rce_cve_2024_2054); monitor for Metasploit reverse shell indicators on hosts running Artica Proxy 4.40/4.50.
  • ·The exploit targets Artica Proxy versions 4.40 and 4.50 specifically; other versions may not be affected.
  • ·The administrative web interface port (default 9000) may vary depending on deployment configuration, which could affect network-layer detection rules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.