CVE-2024-27115
published 2024-09-11CVE-2024-27115: A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.59%
90.5th percentile
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple_online_planning | so_planning | — | — |
| soplanning | soplanning | < 1.52.02 | 1.52.02 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or authenticated POST requests to /process/upload.php with multipart/form-data containing a .php filename in the 'fichier-0' field and Content-Type: application/x-php — this is the malicious PHP file upload vector. ↗
- →Alert on HTTP GET requests to /upload/files/ paths ending in .php — this indicates execution of an uploaded PHP webshell in the publicly accessible upload directory. ↗
- →Look for multipart upload requests where the 'fichier-0' part has Content-Type: application/x-php — this is a strong indicator of malicious PHP file upload exploitation. ↗
- →Monitor for the specific multipart boundary '0ccdfeede39eb97743b39d87536933e1' in HTTP traffic, which is hardcoded in the known exploit template for CVE-2024-27115. ↗
- →The exploit uses a 'linkid' field value of 'soonghee' and 'periodeid' of '0' in the upload POST body — these static values can be used as a signature for the known PoC exploit. ↗
- →Uploaded files are moved to a publicly accessible folder before verifying requirements — monitor web server access logs for .php file execution under /upload/files/. ↗
- ·The Nuclei template describes this as an 'authenticated' RCE requiring valid credentials, while the NVD entry classifies it as 'unauthenticated' RCE. Detection rules should cover both authenticated and unauthenticated upload attempts. ↗
- ·The vulnerability is remediated in version 1.52.02. Affected scope is SOPlanning versions up to and including 1.52.01. ↗
- ·The EPSS score is 0.81794 (99.19th percentile), indicating very high likelihood of exploitation in the wild — prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:C/RE:M/U:Red
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
SOPlanning - Remote Code Execution
nuclei·CVSS 10.0
CVE-2024-27115 [CRITICAL] SOPlanning - Remote Code Execution
SOPlanning - Remote Code Execution
Detects a remote code execution vulnerability in SOPlanning version 1.52.01 through authenticated PHP file upload.
Template:
id: CVE-2024-27115
info:
name: SOPlanning - Remote Code Execution
author: [email protected]
severity: high
description: |
Detects a remote code execution vulnerability in SOPlanning version 1.52.01 through authenticated PHP file upload.
impact: |
Authenticated attackers can upload and execute arbitrary PHP files through the SOPlanning upload functionality, achieving remote code execution.
remediation: |
Update SOPlanning to a version newer than 1.52.01.
reference:
- https://www.exploit-db.com/exploits/52082
- https://nvd.nist.gov/vuln/detail/CVE-2024-27115
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/V
No writeups or analysis indexed.
2024-09-11
Published