cbcvebase.
CVE-2024-27115
published 2024-09-11

CVE-2024-27115: A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.59%
90.5th percentile
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.

Affected

2 ranges
VendorProductVersion rangeFixed in
simple_online_planningso_planning
soplanningsoplanning< 1.52.021.52.02

Detection & IOCsextracted from sources · hover to see the quote

url/process/login.php
url/process/upload.php
url/upload/files/soonghee/{{filename}}.php
path/upload/files/soonghee/
  • Detect unauthenticated or authenticated POST requests to /process/upload.php with multipart/form-data containing a .php filename in the 'fichier-0' field and Content-Type: application/x-php — this is the malicious PHP file upload vector.
  • Alert on HTTP GET requests to /upload/files/ paths ending in .php — this indicates execution of an uploaded PHP webshell in the publicly accessible upload directory.
  • Look for multipart upload requests where the 'fichier-0' part has Content-Type: application/x-php — this is a strong indicator of malicious PHP file upload exploitation.
  • Monitor for the specific multipart boundary '0ccdfeede39eb97743b39d87536933e1' in HTTP traffic, which is hardcoded in the known exploit template for CVE-2024-27115.
  • The exploit uses a 'linkid' field value of 'soonghee' and 'periodeid' of '0' in the upload POST body — these static values can be used as a signature for the known PoC exploit.
  • Uploaded files are moved to a publicly accessible folder before verifying requirements — monitor web server access logs for .php file execution under /upload/files/.
  • ·The Nuclei template describes this as an 'authenticated' RCE requiring valid credentials, while the NVD entry classifies it as 'unauthenticated' RCE. Detection rules should cover both authenticated and unauthenticated upload attempts.
  • ·The vulnerability is remediated in version 1.52.02. Affected scope is SOPlanning versions up to and including 1.52.01.
  • ·The EPSS score is 0.81794 (99.19th percentile), indicating very high likelihood of exploitation in the wild — prioritize detection and patching accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:C/RE:M/U:Red
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.