CVE-2024-32640
published 2025-08-11CVE-2024-32640: MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.59%
99.3th percentile
MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and 7.2.7 contain a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| masacms | masacms | < 7.2.7 | 7.2.7 |
| masacms | masacms | — | — |
| masacms | masacms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/_api/json/v1/default/?method=processAsyncObject
commandobject=displayregion&contenthistid=x\'&previewid=1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mura CMS SQL Injection via processAsyncObject API Method (CVE-2024-32640)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_api/json/v1/default/?method=processAsyncObject"; fast_pattern; http.request_body; content:"contenthistid|3d|"; pcre:"/^[^\x26]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:cve,2024-32640; classtype:web-application-attack; sid:2057436; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_32640, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `processAsyncObject` API method via HTTP POST. Look for POST requests to `/_api/json/v1/default/?method=processAsyncObject` with a manipulated `contenthistid` parameter containing SQL injection payloads (e.g., single-quote injection).
- →A successful exploitation attempt triggers an HTTP 500 response with `Unhandled Exception` in the JSON body and `application/json` content-type header — use these as confirmation matchers.
- →Shodan queries `Generator: Masa CMS` and `generator: masa cms` can be used to identify internet-exposed Masa/Mura CMS instances for proactive asset discovery.
- →The Snort/Suricata rule (ET sid:2057436) inspects the POST body for `contenthistid=` (hex `contenthistid|3d|`) combined with SQL keywords via PCRE, covering UNION SELECT, INSERT INTO, DELETE FROM, SHOW TABLES, etc. Deploy this rule on perimeter and internal sensors, including TLS-decrypting sensors.
- →The vulnerability is in the `processAsyncObject` method of Masa CMS. Versions prior to 7.4.5, 7.3.12, and 7.2.7 are affected. Prioritize detection on unpatched instances. ↗
- ·The Snort rule metadata specifies `tls_state TLSDecrypt`, meaning it will only fire on TLS-decrypted traffic. Ensure your sensor is configured for SSL/TLS inspection (`deployment SSLDecrypt`) to detect exploitation over HTTPS.
- ·The Nuclei template uses `max-request: 1`, meaning a single probe request is sufficient to confirm vulnerability. This low-noise characteristic means a single matching log entry should be treated as high-confidence exploitation evidence.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Mura CMS SQL Injection via processAsyncObject API Method (CVE-2024-32640)
suricata·2024-11-13·CVSS 9.8
CVE-2024-32640 [CRITICAL] ET WEB_SPECIFIC_APPS Mura CMS SQL Injection via processAsyncObject API Method (CVE-2024-32640)
ET WEB_SPECIFIC_APPS Mura CMS SQL Injection via processAsyncObject API Method (CVE-2024-32640)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mura CMS SQL Injection via processAsyncObject API Method (CVE-2024-32640)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_api/json/v1/default/?method=processAsyncObject"; fast_pattern; http.request_body; content:"contenthistid|3d|"; pcre:"/^[^\x26]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:cve,2024-32640; classtyp
Nuclei
Mura/Masa CMS - SQL Injection
nuclei·CVSS 9.8
CVE-2024-32640 [CRITICAL] Mura/Masa CMS - SQL Injection
Mura/Masa CMS - SQL Injection
The Mura/Masa CMS is vulnerable to SQL Injection.
Template:
id: CVE-2024-32640
info:
name: Mura/Masa CMS - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The Mura/Masa CMS is vulnerable to SQL Injection.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Apply the vendor-supplied patch or update to a secure version.
reference:
- https://blog.projectdiscovery.io/hacking-apple-with-sql-injection/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32640
metadata:
verified: true
max-request: 1
vendor: masacms
product: masacms
shodan-query:
- 'Generator: Masa CMS'
- "generator: masa cms"
tags: cve,cve2024,sqli,cms,masa,masacms,vkev,vuln
http:
- raw:
- |
POST /ind
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2025-66492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66492 [CRITICAL] CVE-2025-66492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66492 :
MasaCMS vulnerability analysis and mitigation
Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternat
https://github.com/MasaCMS/MasaCMS/commit/259fc6061d022d5025a3289a3f8de9852ad9c91dhttps://github.com/MasaCMS/MasaCMS/commit/280489e2d6c8daf5022fdb0225235462dd9d4534https://github.com/MasaCMS/MasaCMS/commit/3d6319b8775bb6438bc822d845926990511f5075https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-24rr-gwx3-jhqchttps://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMShttps://projectdiscovery.io/blog/hacking-apple-with-sql-injection?ref=projectdiscovery-io-blog-newsletterhttps://www.seebug.org/vuldb/ssvid-99835
2025-08-11
Published
Exploited in the wild